AuditPro Enterprise™

Description:
Check for users that have not been explicitly assigned a profile and have assumed the DEFAULT profile.
A profile is a set of limits on database resources and password management features on a database. Each user in Oracle is associated with a profile. If no profile is associated explicitly with a user, the DEFAULT profile is assigned. The DEFAULT profile, by default, is unlimited.

CVE Reference No.: CVE-NO-MATCH

Severity	USERNAME	PROFILE
	SYS	DEFAULT
	SYSTEM	DEFAULT
	DBSNMP	DEFAULT
	AURORA$JIS$UTILITY$	DEFAULT
	AURORA$ORB$UNAUTHENTICATED	DEFAULT
	SCOTT	DEFAULT
	OSE$HTTP$ADMIN	DEFAULT
	OUTLN	DEFAULT
	WKSYS	DEFAULT
	QS_CBADM	DEFAULT
	QS_OS	DEFAULT
	QS_ES	DEFAULT
	SH	DEFAULT
	PM	DEFAULT
	OE	DEFAULT
	HR	DEFAULT
	QS_WS	DEFAULT
	QS	DEFAULT
	QS_ADM	DEFAULT
	QS_CS	DEFAULT
	QS_CB	DEFAULT
	RMAN	DEFAULT
	OLAPDBA	DEFAULT
	CTXSYS	DEFAULT
	OLAPSVR	DEFAULT
	OLAPSYS	DEFAULT
	MDSYS	DEFAULT
	ORDPLUGINS	DEFAULT
	ORDSYS	DEFAULT

Solution:
You should change from using the DEFAULT profile to use task-defined profiles. To create a new profile, execute the following command:

CREATE PROFILE [profile name] LIMIT
SESSIONS_PER_USER 2
CPU_PER_SESSION unlimited
CPU_PER_CALL 6000
LOGICAL_READS_PER_SESSION unlimited
LOGICAL_READS_PER_CALL 100
IDLE_TIME 30
CONNECT_TIME 480;

To change the profile associated with a user, execute the following command:
ALTER USER [username]
PROFILE [profile name];

Description:
This check finds all fixed user database links that are stored with a cleartext password. A database link is a pointer within an Oracle database to a remote database. For fixed user database links, the information on how to connect to the database is stored in the system table SYS.LINK$. Within this table are four sensitive columns:
-USERID
-PASSWORD
-AUTHUSR
-AUTHPWD
These columns contain the usernames and passwords used to connect to the remote database. In order to connect to the remote database, the username and passwords in this table must be stored in plain text.

Because of the security concerns with storing passwords in clear text, it is recommended that you use a connected user and current user database links. These types of links do not include credentials in the definition of the link. Using these forms of database links are preferred.

CVE Reference No.: CVE-NO-MATCH

Severity	Parameter	Value
	Database Link Passwords in Cleartext	No violations found

Description:
Check for default passwords that have not been changed. Oracle databases have several well-known default username/password combinations. These combinations include the following:
SCOTT/TIGER,
DBSNMP/DBSNMP,
SYSTEM/MANAGER,
SYS/CHANGE_ON_INSTALL,
TRACESVR/TRACE,
CTXSYS/CTXSYS,
MDSYS/MDSYS,
DEMO/DEMO,
CTXDEMO/CTXDEMO,
APPLSYS/FND,
PO8/PO8,
NAMES/NAMES,
SYSADM/SYSADM,
ORDPLUGINS/ORDPLUGINS,
OUTLN/OUTLN,
ADAMS/WOOD,
BLAKE/PAPER,
JONES/STEEL,
CLARK/CLOTH,
AURORA$ORB$UNAUTHENTICATED/INVALID,
and APPS/APPS.
These default combinations may provide unauthorized access to the server.

CVE Reference No.: CVE-NO-MATCH

Severity	USERNAME	DEFAULT	PASSWORD
	SYSTEM	DEFAULT	D4DF7931AB130E37
	DBSNMP	DEFAULT	E066D214D5421CCC
	SCOTT	DEFAULT	F894844C34402B67
	OUTLN	DEFAULT	4A3BA55E08595C81
	ORDSYS	DEFAULT	7EFA02EC7EA6B86F
	OLAPSVR	DEFAULT	AF52CFD036E8F425
	OLAPSYS	DEFAULT	3FB8EF9DB538647C
	ORDPLUGINS	DEFAULT	88A2B2C183431F00
	MDSYS	DEFAULT	72979A94BAD2AF80
	OLAPDBA	DEFAULT	1AF71599EDACFB00
	RMAN	DEFAULT	E7B5D92911C831E1

Solution:
Change the default password to a value that is difficult to guess. Change the password for an account by executing the following command:
ALTER USER [username] IDENTIFIED BY [new password]

Note: If you use Oracle Intelligent Agent and change the password for the DBSNMP account, you must also place the new password in the snmp_rw.ora file.

Description:
Verify that default role passwords have been changed. Many roles contain powerful privileges for which you may want to provide additional security. For this reason, Oracle allows roles to be assigned to passwords, requiring users to submit the password before the role can be enabled. Oracle is installed with a set of well-known roles and passwords. If the default password for these roles have not been changed, an attacker can gain elevated privileges.

CVE Reference No.: CVE-NO-MATCH

Severity	Parameter	Value
	Default role password	No violations found

Description:
If SAP is being used on Oracle, it has the default password of SAPR3 after installation. This can be used by an attacker to authenticate himself to the Oracle database. The SAP account is likely to have much higher privileges than the other accounts, and is therefore more critical.

CVE Reference No.: CVE-NO-MATCH

Severity	Parameter	Value
	Default SAP account	No violations found

Description:
Check for evidence of password attacks. A password attack is a method of attempting to compromise a system by connecting using words from a dictionary for the password. People typically pick passwords that are easy to remember, such as names, birthdays, or words found in a dictionary. To prevent and detect this type of attack, set the Password Lockout feature for Oracle 8 and periodically review the audit logs for evidence of attacks. This check requires that auditing of failed connections be enabled and that auditing data be written to the SYS.AUD$ table. Oracle 7 does not have a Failed Login Limit function. Check the audit log for evidence of successful attack.

CVE Reference No.: CVE-NO-MATCH

Severity	Parameter	Value
	Excessive Failed Logins	No violations found

Description:
Check that password ages do not exceed a reasonable password lifetime. Oracle 8 introduced the ability to limit password lifetime through the use of profiles. This check uses the built-in password aging functionality of Oracle for version 8 servers and higher. The password lifetime will be taken from the profile associated with the accounts. Requiring password changes on a regular basis counters undetected password compromises. By determining and setting an appropriate password lifetime, the security risk associated with password authentication can be reduced. The longer a password is in use, the more likely the password will become exposed, whether through brute force, eavesdropping, or other avenues.

CVE Reference No.: CVE-NO-MATCH

Severity	USERNAME	ACCOUNT_STATUS
	OUTLN	EXPIRED & LOCKED
	WKSYS	EXPIRED & LOCKED
	QS_CBADM	EXPIRED & LOCKED
	QS_OS	EXPIRED & LOCKED
	QS_ES	EXPIRED & LOCKED
	SH	EXPIRED & LOCKED
	PM	EXPIRED & LOCKED
	OE	EXPIRED & LOCKED
	HR	EXPIRED & LOCKED
	QS_WS	EXPIRED & LOCKED
	QS	EXPIRED & LOCKED
	QS_ADM	EXPIRED & LOCKED
	QS_CS	EXPIRED & LOCKED
	QS_CB	EXPIRED & LOCKED
	RMAN	EXPIRED & LOCKED
	OLAPDBA	EXPIRED & LOCKED
	CTXSYS	EXPIRED & LOCKED
	OLAPSVR	EXPIRED & LOCKED
	OLAPSYS	EXPIRED & LOCKED
	MDSYS	EXPIRED & LOCKED
	ORDPLUGINS	EXPIRED & LOCKED
	ORDSYS	EXPIRED & LOCKED

Solution:
Remind users to change their passwords on a regular basis. Change a password by executing the command ALTER USER IDENTIFIED BY .

Description:
The FAILED_LOGIN_ATTEMPTS parameter defines the number of successive failed login attempts that can be performed before an account's status is changed to locked. This protects against attackers attempting to guess a password for an account. If this parameter is set low enough, the effectiveness of password attacks on the database can be eliminated.
The password management features of Oracle are enabled through the use of profiles. A profile is a set of limits on database resources and of parameters for the password management features. You can create multiple profiles in a database with different parameter settings. You then must assign the profiles to the users that the profile is most appropriate for. For each failed login attempt, the unsuccessful login attempt count is incremented until it reach the value configured for the parameter. After a user successfully logs into an account, that user's unsuccessful login attempt count is reset to 0.

By setting this value to a reasonable number, such as 10, you can limit the ability of an attacker to launch a password attack against the account. Even if a user chooses a weak password that is found in a dictionary, it is unlikely that an attacker will be able to guess the password in the first 10 attempts.

Setting this parameter to UNLIMITED is the worst possible setting. By setting the parameter to UNLIMITED, an attacker can attempt an unlimited amount of guesses of the password for all accounts granted the specified profile. Setting the parameter to a value such as 10 is appropriate. Setting the value too low may result in valid users locking their accounts when mistyping the password.

CVE Reference No.: CVE-NO-MATCH

Severity	PROFILE	RESOURCE_NAME	LIMIT
	DEFAULT	FAILED_LOGIN_ATTEMPTS	UNLIMITED

Solution:
The permissible number of failed login attempts can be specified when creating the profile using the CREATE PROFILE statement or later by executing the ALTER PROFILE statement. Below is the syntax for changing the value.

ALTER PROFILE [profile name] LIMIT
FAILED_LOGIN_ATTEMPTS 10

Once a profile is configured, the profile must be assigned to users. Below is the syntax for this command:
ALTER USER [username] PROFILE [profile name]

Once an account has been locked, it can be unlocked by an account with the ALTER ANY USER system privilege using the command below:
ALTER USER [username] ACCOUNT UNLOCK

Description:
Check for accounts that have been locked. Oracle provides a facility to lock accounts when multiple failed logins occur against that account. This facility prevents passwords from being brute-forced by an attacker. If an account is found to be locked, it may indicate that the account has been attacked.

CVE Reference No.: CVE-NO-MATCH

Severity	USERNAME	ACCOUNT_STATUS
	OUTLN	EXPIRED & LOCKED
	WKSYS	EXPIRED & LOCKED
	QS_CBADM	EXPIRED & LOCKED
	QS_OS	EXPIRED & LOCKED
	QS_ES	EXPIRED & LOCKED
	SH	EXPIRED & LOCKED
	PM	EXPIRED & LOCKED
	OE	EXPIRED & LOCKED
	HR	EXPIRED & LOCKED
	QS_WS	EXPIRED & LOCKED
	QS	EXPIRED & LOCKED
	QS_ADM	EXPIRED & LOCKED
	QS_CS	EXPIRED & LOCKED
	QS_CB	EXPIRED & LOCKED
	RMAN	EXPIRED & LOCKED
	OLAPDBA	EXPIRED & LOCKED
	CTXSYS	EXPIRED & LOCKED
	OLAPSVR	EXPIRED & LOCKED
	OLAPSYS	EXPIRED & LOCKED
	MDSYS	EXPIRED & LOCKED
	ORDPLUGINS	EXPIRED & LOCKED
	ORDSYS	EXPIRED & LOCKED

Solution:
You can unlock a password using the following command:

ALTER USER [username] ACCOUNT UNLOCK;

If you discover a password is being locked and cannot determine the cause, you should configure auditing on the account and review the audit logs to determine the source of the locking.

Description:
Check that the OS_AUTHENT_PREFIX setting is in compliance with the policy. Oracle can be configured to allow operating system accounts to be authenticated to Oracle without having to specify a password. When set up this way, OS accounts are mapped to Oracle accounts of the same name prefixed with the string specified by the OS_AUTHENT_PREFIX configuration parameter. By default, this value is OPS$. This means that the OS user account jdoe will be authenticated to Oracle as the Oracle account OPS$jdoe, if that account exists.

If the Oracle account being accessed has a valid password, then users may also login into Oracle using a username/password combination. If you set the prefix to anything other than OPS$, users can log into Oracle without specifying a password or by entering a valid username/password, but not both. Using the default prefix OPS$ allows remote users to attempt to guess passwords of accounts that have the OPS$ prefix but are not created using IDENTIFIED EXTERNALLY. By using a different prefix, accounts configured with the prefix must be IDENTIFIED EXTERNALLY if they are to use operating system authentication. Using any prefix other than OPS$ significantly reduces any chance of remote password guessing and makes guessing account names with the prefix harder.

CVE Reference No.: CVE-NO-MATCH

Severity	Parameter	Value
	OS Authentication Prefix	No violations found

Description:
Check that users have changed their passwords within the designated policy setting. Passwords need to be changed frequently, as there are so many ways to have your password stolen, sniffed or viewed. It is therefore important for database administrators to be mindful of how frequently passwords are being changed, and which users have not been changing passwords regularly.

CVE Reference No.: CVE-NO-MATCH

Severity	NAME	ROUND(SYSDATE-PTIME)
	SYS	2640
	SYSTEM	2640
	DBSNMP	2640
	AURORA$JIS$UTILITY$	2640
	OSE$HTTP$ADMIN	2640
	AURORA$ORB$UNAUTHENTICATED	2640
	SCOTT	2640

Solution:
Inform each user that the password needs to be updated. This can be changed by running the command:

ALTER USER [username] IDENTIFIED BY [password]

Then verify that passwords have been changed by running the check again.

Description:
Check that all profiles have a Password Grace Time within the limits of the policy. The PASSWORD_GRACE_TIME value serves as a limit to the number of days during which a password must be changed following the first successful login after password expiration. Setting this value ensures users are changing their passwords. PASSWORD_GRACE_TIME can be set to a number of days; UNLIMITED, meaning never require an account to change the password; or to DEFAULT, which then uses the value indicated in the DEFAULT profile. Leaving this value as UNLIMITED allows users to ignore the Change Password prompt indefinitely. This feature is set for profiles. These profiles then must be associated with an account. This check verifies that all profiles have a minimum level of security.

CVE Reference No.: CVE-NO-MATCH

Severity	PROFILE	RESOURCE_NAME	LIMIT
	DEFAULT	PASSWORD_GRACE_TIME	UNLIMITED

Solution:
Modify the PASSWORD_GRACE_TIME profile parameter by executing the following command:
ALTER PROFILE [profile name] LIMIT PASSWORD_GRACE_TIME xx

Modify the users associated with a profile value by executing the following command:
ALTER USER [username] PROFILE [new profile]

Description:
Check that Oracle 8 profiles have not exceeded the allowed limit for Password Life Time. The PASSWORD_LIFE_TIME value serves as a limit to the number of days after which a password expires. Setting this value ensures users are changing their passwords. PASSWORD_LIFE_TIME can be set to a number of days; UNLIMITED, meaning never require an account to change the password; or to DEFAULT, which then uses the value indicated in the DEFAULT profile. Leaving this value on UNLIMITED allows users to use the same passwords indefinitely. This feature is set for profiles. These profiles then must be associated with an account. This check verifies that all profiles have a minimum level of security set.

CVE Reference No.: CVE-NO-MATCH

Severity	PROFILE	RESOURCE_NAME	LIMIT
	DEFAULT	PASSWORD_LIFE_TIME	UNLIMITED

Solution:
Modify the PASSWORD_LIFE_TIME profile parameter by executing the following command:
ALTER PROFILE [profile name] LIMIT PASSWORD_LIFE_TIME xx

Modify the users associated with a profile value by executing the following command:
ALTER USER [username] PROFILE [new profile]

Description:
Check that Oracle 8 profiles have not exceeded the allowed limit for PASSWORD_LOCK_TIME. The PASSWORD_LOCK_TIME value specifies the number of days to lock an account after the designated number of failed login attempts is reached. PASSWORD_LOCK_TIME can be set to a number of days; UNLIMITED; or to DEFAULT which then uses the value indicated in the DEFAULT profile. Setting this value on UNLIMITED requires that the database administrator unlock the account. This feature is set for profiles. These profiles then must be associated with an account. This check verifies that all profiles have a minimum level of security set.

CVE Reference No.: CVE-NO-MATCH

Severity	PROFILE	RESOURCE_NAME	LIMIT
	DEFAULT	PASSWORD_LOCK_TIME	UNLIMITED

Solution:
Modify the PASSWORD_LOCK_TIME profile parameter by executing the following command:
ALTER PROFILE [profile name] LIMIT PASSWORD_LOCK_TIME xx

Modify the users associated with a profile value by executing the following command:
ALTER USER [username] PROFILE [new profile]

Description:
Check that Oracle 8 profiles have not exceeded the allowed limit for PASSWORD_REUSE_MAX. The PASSWORD_REUSE_MAX value specifies the number of password changes before a password can be reused. PASSWORD_REUSE_MAX can be set to a number of reuses; UNLIMITED; or to DEFAULT, which then uses the value indicated in the DEFAULT profile. Setting this value to UNLIMITED allows passwords to be reused immediately. This feature is set for profiles. These profiles then must be associated with an account. PASSWORD_REUSE_MAX is mutually exclusive with PASSWORD_REUSE_TIME. If PASSWORD_REUSE_MAX is set to a value for a given profile, PASSWORD_REUSE_TIME must be set to UNLIMITED for the same profile. This check verifies that all profiles have a minimum level of security set.

CVE Reference No.: CVE-NO-MATCH

Severity	PROFILE	RESOURCE_NAME	LIMIT
	DEFAULT	PASSWORD_REUSE_MAX	UNLIMITED

Solution:
Modify the PASSWORD_REUSE_MAX profile parameter by executing the following command:
ALTER PROFILE [profile name] LIMIT PASSWORD_REUSE_MAX xx

Modify the users associated with a profile value by executing the following command:
ALTER USER [username] PROFILE [new profile]

Description:
Check that Oracle 8 profiles are not within the allowed limit for PASSWORD_REUSE_TIME. Oracle 8 introduces a new profile value, PASSWORD_REUSE_TIME. This value specifies the number of days before a password can be reused. PASSWORD_REUSE_TIME can be set to a number of days; UNLIMITED; or to DEFAULT, which then uses the value indicated in the DEFAULT profile. Setting this value to UNLIMITED allows passwords to be reused immediately. This feature is set for profiles. These profiles then must be associated with an account. PASSWORD_REUSE_TIME is mutually exclusive with PASSWORD_REUSE_MAX. If PASSWORD_REUSE_TIME is set to a value for a given profile, PASSWORD_REUSE_MAX must be set to UNLIMITED for the same profile. This check verifies that all profiles have a minimum level of security set.

CVE Reference No.: CVE-NO-MATCH

Severity	PROFILE	RESOURCE_NAME	LIMIT
	DEFAULT	PASSWORD_REUSE_TIME	UNLIMITED

Solution:
Modify the PASSWORD_REUSE_TIME profile parameter by executing the following command:
ALTER PROFILE [profile name] LIMIT PASSWORD_REUSE_TIME xx

Modify the users associated with a profile value by executing the following command:
ALTER USER [username] PROFILE [new profile]

Description:
Check that the Password Verify Function is specified properly. The PASSWORD_VERIFY_FUNCTION value specifies a PL/SQL function to be used for password verification when users who are assigned this profile log in to a database. This function can be used to validate password strength by requiring passwords to pass a strength test written in PL/SQL. The function must be locally available for execution on the database to which this profile applies. Oracle provides a default script (utlpwdmg.sql), but you can also create your own function. The password verification function must be owned by SYS. The default setting for this profile parameter is NULL, meaning no password verification is performed.

CVE Reference No.: CVE-NO-MATCH

Severity	RESOURCE_NAME	LIMIT
	PASSWORD_VERIFY_FUNCTION	NULL

Solution:
Modify the PASSWORD_VERIFY_FUNCTION profile parameter by executing the following command:
ALTER PROFILE [profile name] LIMIT PASSWORD_VERIFY_FUNCTION [password function]

Modify the users associated with a profile value by executing the following command:
ALTER USER [username] PROFILE [new profile]

Description:
Check that the Oracle parameter REMOTE_LOGIN_PASSWORDFILE is in compliance with the policy. REMOTE_LOGIN_PASSWORDFILE specifies whether Oracle checks for a password file and how many databases can use the password file. Setting the parameter to NONE signifies that Oracle should ignore any password file (and only operating systems accounts in the dba group can connect INTERNAL). Setting the parameter to EXCLUSIVE signifies that the password file can be used by only one database and the password file can contain names other than SYS and INTERNAL (operating system users can still connect INTERNAL). Setting the parameter to SHARED allows more than one database to use a password file. However, the only users recognized by the password file are SYS and INTERNAL (operating system users can still connect INTERNAL). Setting the parameter to NONE, the recommended setting, prevents remote users from connecting as INTERNAL.

CVE Reference No.: CVE-NO-MATCH

Severity	NAME	VALUE	DESCRIPTION
	remote_login_passwordfile	EXCLUSIVE	password file usage parameter

Solution:
Set the REMOTE_LOGIN_PASSWORDFILE value in the init.ora configuration file.

Description:
Check for roles without passwords. Oracle roles can be configured to require password authentication to use the role. In secure environments, sensitive roles should have passwords assigned to them. Oracle roles defined without password verification allow easy access.

CVE Reference No.: CVE-NO-MATCH

Severity	ROLE	PASSWORD_REQUIRED
	CONNECT	NO
	RESOURCE	NO
	DBA	NO
	SELECT_CATALOG_ROLE	NO
	EXECUTE_CATALOG_ROLE	NO
	DELETE_CATALOG_ROLE	NO
	EXP_FULL_DATABASE	NO
	WM_ADMIN_ROLE	NO
	IMP_FULL_DATABASE	NO
	RECOVERY_CATALOG_OWNER	NO
	AQ_ADMINISTRATOR_ROLE	NO
	AQ_USER_ROLE	NO
	OEM_MONITOR	NO
	HS_ADMIN_ROLE	NO
	JAVAUSERPRIV	NO
	JAVAIDPRIV	NO
	JAVASYSPRIV	NO
	JAVADEBUGPRIV	NO
	JAVA_ADMIN	NO
	JAVA_DEPLOY	NO
	CTXAPP	NO
	WKADMIN	NO
	WKUSER	NO
	OLAP_DBA	NO

Solution:
To set passwords for a role, execute the following statement: ALTER ROLE [Role Name] IDENTIFIED BY [password].

Description:
Check that the REMOTE_OS_AUTHENT parameter is not set to TRUE. Setting this value to TRUE allows operating system authentication over a non-secure connection. Trusting remote operating systems can allow a user to impersonate another operating system user and connect to the database without having to supply a password. If REMOTE_OS_AUTHENT is set to true, the only information a remote user needs to connect to the database is the name of any user whose account is setup to be authenticated by the operating system.

CVE Reference No.: CVE-NO-MATCH

Severity	NAME	VALUE	DESCRIPTION
	remote_os_authent	FALSE	allow non-secure remote clients to use auto-logon accounts

Solution:
Set the REMOTE_OS_AUTHENT value to FALSE in the init.ora configuration file.

Description:
Check that Oracle is not configured to enable roles based on remote operating system user group membership. Setting REMOTE_OS_ROLES to TRUE allows operating system groups to control Oracle roles. The default value of FALSE causes roles to be identified and managed by the database. If REMOTE_OS_ROLE is set to TRUE, a remote user could impersonate another operating system user over a network connection. It is a security risk to use operating system role authentication for network clients.

CVE Reference No.: CVE-NO-MATCH

Severity	NAME	VALUE	DESCRIPTION
	remote_os_roles	FALSE	allow non-secure remote clients to use os roles

Solution:
Set the REMOTE_OS_ROLES value to FALSE in the init.ora configuration file.

Description:
The DBA role on an Oracle database is the most powerful role with far-reaching privileges. All users or roles granted this privilege must be carefully monitored. You must watch out for any unauthorized additions to the DBA role, or the addition of Oracle default accounts to the DBA role. By default the SYS and SYSTEM accounts are granted the DBA role. This check determines if any users other than SYS and SYSTEM have been given the DBA role.

CVE Reference No.: CVE-NO-MATCH

Severity	GRANTEE	GRANTED_ROLE	ADMIN_OPTION	DEFAULT_ROLE
	CTXSYS	DBA	NO	YES
	WKSYS	DBA	NO	YES

Solution:
The findings given below do not necessarily represent a vulnerability if the accounts are authorized accounts for the DBA role. But if this is not the case, such accounts must be investigated immediately and removed from the DBA role. This is done by the following command:
REVOKE DBA FROM [account]

Description:
Privileges to create, alter, or execute ANY source code objects are very powerful privileges. Because of the ease in which these privileges can be elevated to full DBA, granting these privilege should be done only to DBA accounts.
Oracle supports a wide variety of privileges which allow a user to perform actions of types of objects. Some of these privileges can be granted using the "ANY" keyword. This keyword allows the GRANTEE to perform the action on any schema. This is powerful and can be used to escalate privileges.

The following privileges can be used to create or execute code in the SYS schema.
CREATE ANY PROCEDURE
ALTER ANY PROCEDURE
EXECUTE ANY PROCEDURE
ALTER ANY TRIGGER
CREATE ANY TRIGGER

Once code is create or execute in the SYS schema, it will run under the privileges of the SYS user, effectively allowing the GRANTEE to execute any commands as the SYS user.

CVE Reference No.: CVE-NO-MATCH

Severity	GRANTEE	PRIVILEGE
	CTXSYS	ALTER ANY PROCEDURE
	IMP_FULL_DATABASE	ALTER ANY PROCEDURE
	MDSYS	ALTER ANY PROCEDURE
	WKSYS	ALTER ANY PROCEDURE
	CTXSYS	ALTER ANY TRIGGER
	IMP_FULL_DATABASE	ALTER ANY TRIGGER
	MDSYS	ALTER ANY TRIGGER
	WKSYS	ALTER ANY TRIGGER
	CTXSYS	CREATE ANY PROCEDURE
	IMP_FULL_DATABASE	CREATE ANY PROCEDURE
	MDSYS	CREATE ANY PROCEDURE
	WKSYS	CREATE ANY PROCEDURE
	CTXSYS	CREATE ANY TRIGGER
	IMP_FULL_DATABASE	CREATE ANY TRIGGER
	MDSYS	CREATE ANY TRIGGER
	WKSYS	CREATE ANY TRIGGER
	CTXSYS	EXECUTE ANY PROCEDURE
	EXP_FULL_DATABASE	EXECUTE ANY PROCEDURE
	IMP_FULL_DATABASE	EXECUTE ANY PROCEDURE
	MDSYS	EXECUTE ANY PROCEDURE
	OUTLN	EXECUTE ANY PROCEDURE
	WKSYS	EXECUTE ANY PROCEDURE

Solution:
Revoke privileges from any users that are not DBAs. Grant them specific privileges on any functions or procedures they need to execute.

To revoke the privilege from an account, run the following command:
REVOKE [PRIVILEGE] FROM [user or role]

where privilege is one of the following:
CREATE ANY PROCEDURE
ALTER ANY PROCEDURE
EXECUTE ANY PROCEDURE
ALTER ANY TRIGGER
CREATE ANY TRIGGER

Description:
Check for accounts (other than DBA, SYS, and SYSTEM) that have been granted the privileges BECOME USER or ALTER USER.
Privileges to become another user can be used maliciously. The privileges to do so allows an attacker to access data or runs commands under the privileges of another user. This results in a loss of both auditability and accountability.

CVE Reference No.: CVE-NO-MATCH

Severity	GRANTEE	PRIVILEGE
	CTXSYS	ALTER USER
	MDSYS	ALTER USER
	WKSYS	ALTER USER
	CTXSYS	BECOME USER
	IMP_FULL_DATABASE	BECOME USER
	MDSYS	BECOME USER
	WKSYS	BECOME USER

Solution:
Revoke the privileges from any users that are not DBAs. To revoke the privilege from an account or role, run the following command:

REVOKE BECOME USER FROM [user or role]
REVOKE ALTER USER FROM [user or role]

Description:
Check for accounts (other than DBA, SYS, and SYSTEM) that have been granted the privilege CREATE PUBLIC SYNONYM.

Privileges to create public synonyms can be used maliciously. The privileges to do so allows an attacker to create synonyms which override the names of other objects. The synonyms may point to other objects not intended to be accessed. Privileges to create public synonyms should be granted to database administrators only.

CVE Reference No.: CVE-NO-MATCH

Severity	GRANTEE	PRIVILEGE
	CTXSYS	CREATE PUBLIC SYNONYM
	IMP_FULL_DATABASE	CREATE PUBLIC SYNONYM
	MDSYS	CREATE PUBLIC SYNONYM
	OLAPSYS	CREATE PUBLIC SYNONYM
	ORDPLUGINS	CREATE PUBLIC SYNONYM
	ORDSYS	CREATE PUBLIC SYNONYM
	WKSYS	CREATE PUBLIC SYNONYM

Solution:
Revoke the privileges from any users that are not DBAs. To revoke the privilege from an account or role, run the following command:
REVOKE CREATE PUBLIC SYNONYM FROM [user or role]

Description:
Check for accounts (other than DBA, SYS, and SYSTEM) that have been granted the privilege GRANT ANY ROLE.
Privileges to grant any role are very powerful. Because of the ease in which these privileges can be elevated to full DBA, granting these privilege should be done only to DBA accounts.

CVE Reference No.: CVE-NO-MATCH

Severity	GRANTEE	PRIVILEGE
	CTXSYS	GRANT ANY ROLE
	MDSYS	GRANT ANY ROLE
	WKSYS	GRANT ANY ROLE

Solution:
Revoke the privileges from any users that are not DBAs. To revoke the privilege from an account or role, run the following command:
REVOKE CREATE PUBLIC SYNONYM FROM [user or role]

Description:
Check for accounts (other than DBA, SYS, and SYSTEM) that have been granted the privileges DROP PUBLIC DATABASE LINK and CREATE PUBLIC DATABASE LINK.
Privileges to replace public links can be used maliciously. The privileges to do so allows an attacker to replace an existing link with a link to a malicious database. Then when a privileged user access the database links, the credentials of the privilege user can be hijacked. Privileges to create and drop database links should be granted to database administrators only.

CVE Reference No.: CVE-NO-MATCH

Severity	GRANTEE	PRIVILEGE
	CTXSYS	CREATE PUBLIC DATABASE LINK
	IMP_FULL_DATABASE	CREATE PUBLIC DATABASE LINK
	MDSYS	CREATE PUBLIC DATABASE LINK
	WKSYS	CREATE PUBLIC DATABASE LINK
	CTXSYS	DROP PUBLIC DATABASE LINK
	IMP_FULL_DATABASE	DROP PUBLIC DATABASE LINK
	MDSYS	DROP PUBLIC DATABASE LINK
	WKSYS	DROP PUBLIC DATABASE LINK

Solution:
Revoke the privileges from any users that are not DBAs. To revoke the privilege from an account or role, run the following command:

REVOKE CREATE PUBLIC DATABASE LINK FROM [user or role]
REVOKE DROP PUBLIC DATABASE LINK FROM [user or role]

Description:
Check for accounts granted the system privilege ALTER SYSTEM
The initialization parameter "fixed_date" can be used to manipulate time or date dependent applications. Because of this class of time-based attacks, you should review the accounts granted the system privilege ALTER SYSTEM.

CVE Reference No.: CVE-NO-MATCH

Severity	GRANTEE	PRIVILEGE
	CTXSYS	ALTER SYSTEM
	MDSYS	ALTER SYSTEM
	WKSYS	ALTER SYSTEM

Solution:
For any accounts that do not require the system privilege ALTER SYSTEM, revoke the privilege using the following command:

REVOKE ALTER SYSTEM FROM [role or user]

Description:
Check for accounts (other than DBA, SYS, and SYSTEM) that have been granted the role JAVA_ADMIN.
The role JAVA_ADMIN can be used maliciously to execute and access files on the operating system level. The JAVA_ADMIN role should be granted to database administrators only.

CVE Reference No.: CVE-NO-MATCH

Severity	Parameter	Value
	Account granted the JAVA_ADMIN role	No violations found

Description:
Check if accounts are using the SYS or SYSTEM tablespaces. Use of the SYS or SYSTEM table space as the default tablespace is highly discouraged. New objects created by the account will be placed on this tablespace. The SYS or SYSTEM tablespace contains the data dictionary and should not be used for other tables.

CVE Reference No.: CVE-NO-MATCH

Severity	USERNAME	DEFAULT	DEFAULT_TABLESPACE
	SYS	DEFAULT	SYSTEM
	SYSTEM	DEFAULT	SYSTEM
	DBSNMP	DEFAULT	SYSTEM
	AURORA$JIS$UTILITY$	DEFAULT	SYSTEM
	SCOTT	DEFAULT	SYSTEM
	AURORA$ORB$UNAUTHENTICATED	DEFAULT	SYSTEM
	OSE$HTTP$ADMIN	DEFAULT	SYSTEM
	OUTLN	DEFAULT	SYSTEM
	OLAPSVR	DEFAULT	SYSTEM
	ORDPLUGINS	DEFAULT	SYSTEM
	OLAPDBA	DEFAULT	SYSTEM
	MDSYS	DEFAULT	SYSTEM
	ORDSYS	DEFAULT	SYSTEM

Solution:
Change the default table space for an account by executing the following command: ALTER USER [username] DEFAULT TABLESPACE [new tablespace].

Description:
Check permissions on the audit table. Permissions to this table should be restricted to only those accounts requiring access. Granting excessive permissions could lead to tampering of the audit trail data. Check that only the appropriate accounts have permissions to perform select, insert, delete, or update operations on the table where the audit data is stored (SYS.AUD$).

CVE Reference No.: CVE-NO-MATCH

Severity	GRANTEE	TABLE_NAME	GRANTOR	PRIVILEGE	GRANTABLE
	DELETE_CATALOG_ROLE	AUD$	SYS	DELETE	NO

Solution:
Revoke permissions from the SYS.AUD$ table for accounts that do not require access.

Description:
CREATE LIBRARY and CREATE ANY LIBRARY are powerful privileges and access to them should be tightly controlled. These privileges can be used to access the operating system. CREATE LIBRARY allows a user to load an operating system binary file and call into the functions of the binary. CREATE LIBRARY can be used by a database user to attack the operating system, so this feature should be tightly guarded.

CVE Reference No.: CVE-NO-MATCH

Severity	GRANTEE	PRIVILEGE
	CTXSYS	CREATE ANY LIBRARY
	DBA	CREATE ANY LIBRARY
	IMP_FULL_DATABASE	CREATE ANY LIBRARY
	MDSYS	CREATE ANY LIBRARY
	WKSYS	CREATE ANY LIBRARY
	CTXSYS	CREATE LIBRARY
	DBA	CREATE LIBRARY
	MDSYS	CREATE LIBRARY
	ORDPLUGINS	CREATE LIBRARY
	ORDSYS	CREATE LIBRARY
	WKSYS	CREATE LIBRARY

Solution:
Revoke permissions to create libraries from any users that do not need the privilege.

To revoke the CREATE LIBRARY system privilege, run the following command:

REVOKE CREATE LIBRARY FROM [user or role]

To revoke the CREATE ANY LIBRARY system privilege, run the following command:

REVOKE CREATE ANY LIBRARY FROM [user or role]

Description:
Check that the parameter O7_DICTIONARY_ACCESSIBILITY is set to false. Oracle 8 provides the parameter O7_DICTIONARY_ACCESSIBILITY to prevent accounts with the privilege SELECT ANY TABLE from selecting on the data dictionary tables. Setting this parameter to FALSE helps restrict access to sensitive data in the data dictionary such as the encrypted passwords.

CVE Reference No.: CVE-NO-MATCH

Severity	NAME	VALUE	DESCRIPTION
	O7_DICTIONARY_ACCESSIBILITY	FALSE	Version 7 Dictionary Accessibility Support

Solution:
Set the O7_DICTIONARY_ACCESSIBILITY value in the init.ora configuration file to FALSE.

Description:
The 'Accounts allowed permissions on the database links table' field allows you to enter the specific accounts or roles that are allowed permissions to view data in the database links table.

CVE Reference No.: CVE-NO-MATCH

Severity	Parameter	Value
	Database Link Permissions	No violations found

Description:
The system privileges with the ANY word in them give wide ranging privileges to the grantee. These must be used with a lot of care and caution. A list of non-DBA users/roles who have been granted these privileges is shown below.

CVE Reference No.: CVE-NO-MATCH

Severity	GRANTEE	ANYPRIVILEGE	PRIVILEGE
	AQ_ADMINISTRATOR_ROLE	ANY Privilege	DEQUEUE ANY QUEUE
	AQ_ADMINISTRATOR_ROLE	ANY Privilege	ENQUEUE ANY QUEUE
	AQ_ADMINISTRATOR_ROLE	ANY Privilege	MANAGE ANY QUEUE
	CTXSYS	ANY Privilege	ALTER ANY CLUSTER
	CTXSYS	ANY Privilege	ALTER ANY DIMENSION
	CTXSYS	ANY Privilege	ALTER ANY INDEX
	CTXSYS	ANY Privilege	ALTER ANY INDEXTYPE
	CTXSYS	ANY Privilege	ALTER ANY LIBRARY
	CTXSYS	ANY Privilege	ALTER ANY OUTLINE
	CTXSYS	ANY Privilege	ALTER ANY PROCEDURE
	CTXSYS	ANY Privilege	ALTER ANY ROLE
	CTXSYS	ANY Privilege	ALTER ANY SECURITY PROFILE
	CTXSYS	ANY Privilege	ALTER ANY SEQUENCE
	CTXSYS	ANY Privilege	ALTER ANY SNAPSHOT
	CTXSYS	ANY Privilege	ALTER ANY TABLE
	CTXSYS	ANY Privilege	ALTER ANY TRIGGER
	CTXSYS	ANY Privilege	ALTER ANY TYPE
	CTXSYS	ANY Privilege	BACKUP ANY TABLE
	CTXSYS	ANY Privilege	COMMENT ANY TABLE
	CTXSYS	ANY Privilege	CREATE ANY CLUSTER
	CTXSYS	ANY Privilege	CREATE ANY CONTEXT
	CTXSYS	ANY Privilege	CREATE ANY DIMENSION
	CTXSYS	ANY Privilege	CREATE ANY DIRECTORY
	CTXSYS	ANY Privilege	CREATE ANY INDEX
	CTXSYS	ANY Privilege	CREATE ANY INDEXTYPE
	CTXSYS	ANY Privilege	CREATE ANY LIBRARY
	CTXSYS	ANY Privilege	CREATE ANY OPERATOR
	CTXSYS	ANY Privilege	CREATE ANY OUTLINE
	CTXSYS	ANY Privilege	CREATE ANY PROCEDURE
	CTXSYS	ANY Privilege	CREATE ANY SECURITY PROFILE
	CTXSYS	ANY Privilege	CREATE ANY SEQUENCE
	CTXSYS	ANY Privilege	CREATE ANY SNAPSHOT
	CTXSYS	ANY Privilege	CREATE ANY SYNONYM
	CTXSYS	ANY Privilege	CREATE ANY TABLE
	CTXSYS	ANY Privilege	CREATE ANY TRIGGER
	CTXSYS	ANY Privilege	CREATE ANY TYPE
	CTXSYS	ANY Privilege	CREATE ANY VIEW
	CTXSYS	ANY Privilege	DELETE ANY TABLE
	CTXSYS	ANY Privilege	DEQUEUE ANY QUEUE
	CTXSYS	ANY Privilege	DROP ANY CLUSTER
	CTXSYS	ANY Privilege	DROP ANY CONTEXT
	CTXSYS	ANY Privilege	DROP ANY DIMENSION
	CTXSYS	ANY Privilege	DROP ANY DIRECTORY
	CTXSYS	ANY Privilege	DROP ANY INDEX
	CTXSYS	ANY Privilege	DROP ANY INDEXTYPE
	CTXSYS	ANY Privilege	DROP ANY LIBRARY
	CTXSYS	ANY Privilege	DROP ANY OPERATOR
	CTXSYS	ANY Privilege	DROP ANY OUTLINE
	CTXSYS	ANY Privilege	DROP ANY PROCEDURE
	CTXSYS	ANY Privilege	DROP ANY ROLE
	CTXSYS	ANY Privilege	DROP ANY SEQUENCE
	CTXSYS	ANY Privilege	DROP ANY SNAPSHOT
	CTXSYS	ANY Privilege	DROP ANY SYNONYM
	CTXSYS	ANY Privilege	DROP ANY TABLE
	CTXSYS	ANY Privilege	DROP ANY TRIGGER
	CTXSYS	ANY Privilege	DROP ANY TYPE
	CTXSYS	ANY Privilege	DROP ANY VIEW
	CTXSYS	ANY Privilege	ENQUEUE ANY QUEUE
	CTXSYS	ANY Privilege	EXECUTE ANY INDEXTYPE
	CTXSYS	ANY Privilege	EXECUTE ANY LIBRARY
	CTXSYS	ANY Privilege	EXECUTE ANY OPERATOR
	CTXSYS	ANY Privilege	EXECUTE ANY PROCEDURE
	CTXSYS	ANY Privilege	EXECUTE ANY TYPE
	CTXSYS	ANY Privilege	FORCE ANY TRANSACTION
	CTXSYS	ANY Privilege	GRANT ANY PRIVILEGE
	CTXSYS	ANY Privilege	GRANT ANY ROLE
	CTXSYS	ANY Privilege	INSERT ANY TABLE
	CTXSYS	ANY Privilege	LOCK ANY TABLE
	CTXSYS	ANY Privilege	MANAGE ANY QUEUE
	CTXSYS	ANY Privilege	SELECT ANY SEQUENCE
	CTXSYS	ANY Privilege	SELECT ANY TABLE
	CTXSYS	ANY Privilege	UNDER ANY TABLE
	CTXSYS	ANY Privilege	UNDER ANY TYPE
	CTXSYS	ANY Privilege	UNDER ANY VIEW
	CTXSYS	ANY Privilege	UPDATE ANY TABLE
	DBSNMP	ANY Privilege	SELECT ANY DICTIONARY
	EXP_FULL_DATABASE	ANY Privilege	BACKUP ANY TABLE
	EXP_FULL_DATABASE	ANY Privilege	EXECUTE ANY PROCEDURE
	EXP_FULL_DATABASE	ANY Privilege	EXECUTE ANY TYPE
	EXP_FULL_DATABASE	ANY Privilege	SELECT ANY TABLE
	IMP_FULL_DATABASE	ANY Privilege	ALTER ANY PROCEDURE
	IMP_FULL_DATABASE	ANY Privilege	ALTER ANY TABLE
	IMP_FULL_DATABASE	ANY Privilege	ALTER ANY TRIGGER
	IMP_FULL_DATABASE	ANY Privilege	ALTER ANY TYPE
	IMP_FULL_DATABASE	ANY Privilege	COMMENT ANY TABLE
	IMP_FULL_DATABASE	ANY Privilege	CREATE ANY CLUSTER
	IMP_FULL_DATABASE	ANY Privilege	CREATE ANY CONTEXT
	IMP_FULL_DATABASE	ANY Privilege	CREATE ANY DIMENSION
	IMP_FULL_DATABASE	ANY Privilege	CREATE ANY DIRECTORY
	IMP_FULL_DATABASE	ANY Privilege	CREATE ANY INDEX
	IMP_FULL_DATABASE	ANY Privilege	CREATE ANY INDEXTYPE
	IMP_FULL_DATABASE	ANY Privilege	CREATE ANY LIBRARY
	IMP_FULL_DATABASE	ANY Privilege	CREATE ANY OPERATOR
	IMP_FULL_DATABASE	ANY Privilege	CREATE ANY PROCEDURE
	IMP_FULL_DATABASE	ANY Privilege	CREATE ANY SEQUENCE
	IMP_FULL_DATABASE	ANY Privilege	CREATE ANY SNAPSHOT
	IMP_FULL_DATABASE	ANY Privilege	CREATE ANY SYNONYM
	IMP_FULL_DATABASE	ANY Privilege	CREATE ANY TABLE
	IMP_FULL_DATABASE	ANY Privilege	CREATE ANY TRIGGER
	IMP_FULL_DATABASE	ANY Privilege	CREATE ANY TYPE
	IMP_FULL_DATABASE	ANY Privilege	CREATE ANY VIEW
	IMP_FULL_DATABASE	ANY Privilege	DROP ANY CLUSTER
	IMP_FULL_DATABASE	ANY Privilege	DROP ANY CONTEXT
	IMP_FULL_DATABASE	ANY Privilege	DROP ANY DIMENSION
	IMP_FULL_DATABASE	ANY Privilege	DROP ANY DIRECTORY
	IMP_FULL_DATABASE	ANY Privilege	DROP ANY INDEX
	IMP_FULL_DATABASE	ANY Privilege	DROP ANY INDEXTYPE
	IMP_FULL_DATABASE	ANY Privilege	DROP ANY LIBRARY
	IMP_FULL_DATABASE	ANY Privilege	DROP ANY OPERATOR
	IMP_FULL_DATABASE	ANY Privilege	DROP ANY OUTLINE
	IMP_FULL_DATABASE	ANY Privilege	DROP ANY PROCEDURE
	IMP_FULL_DATABASE	ANY Privilege	DROP ANY ROLE
	IMP_FULL_DATABASE	ANY Privilege	DROP ANY SEQUENCE
	IMP_FULL_DATABASE	ANY Privilege	DROP ANY SNAPSHOT
	IMP_FULL_DATABASE	ANY Privilege	DROP ANY SYNONYM
	IMP_FULL_DATABASE	ANY Privilege	DROP ANY TABLE
	IMP_FULL_DATABASE	ANY Privilege	DROP ANY TRIGGER
	IMP_FULL_DATABASE	ANY Privilege	DROP ANY TYPE
	IMP_FULL_DATABASE	ANY Privilege	DROP ANY VIEW
	IMP_FULL_DATABASE	ANY Privilege	EXECUTE ANY PROCEDURE
	IMP_FULL_DATABASE	ANY Privilege	EXECUTE ANY TYPE
	IMP_FULL_DATABASE	ANY Privilege	INSERT ANY TABLE
	IMP_FULL_DATABASE	ANY Privilege	MANAGE ANY QUEUE
	IMP_FULL_DATABASE	ANY Privilege	SELECT ANY TABLE
	IMP_FULL_DATABASE	ANY Privilege	UPDATE ANY TABLE
	JAVADEBUGPRIV	ANY Privilege	DEBUG ANY PROCEDURE
	MDSYS	ANY Privilege	ALTER ANY CLUSTER
	MDSYS	ANY Privilege	ALTER ANY DIMENSION
	MDSYS	ANY Privilege	ALTER ANY INDEX
	MDSYS	ANY Privilege	ALTER ANY INDEXTYPE
	MDSYS	ANY Privilege	ALTER ANY LIBRARY
	MDSYS	ANY Privilege	ALTER ANY OUTLINE
	MDSYS	ANY Privilege	ALTER ANY PROCEDURE
	MDSYS	ANY Privilege	ALTER ANY ROLE
	MDSYS	ANY Privilege	ALTER ANY SECURITY PROFILE
	MDSYS	ANY Privilege	ALTER ANY SEQUENCE
	MDSYS	ANY Privilege	ALTER ANY SNAPSHOT
	MDSYS	ANY Privilege	ALTER ANY TABLE
	MDSYS	ANY Privilege	ALTER ANY TRIGGER
	MDSYS	ANY Privilege	ALTER ANY TYPE
	MDSYS	ANY Privilege	BACKUP ANY TABLE
	MDSYS	ANY Privilege	COMMENT ANY TABLE
	MDSYS	ANY Privilege	CREATE ANY CLUSTER
	MDSYS	ANY Privilege	CREATE ANY CONTEXT
	MDSYS	ANY Privilege	CREATE ANY DIMENSION
	MDSYS	ANY Privilege	CREATE ANY DIRECTORY
	MDSYS	ANY Privilege	CREATE ANY INDEX
	MDSYS	ANY Privilege	CREATE ANY INDEXTYPE
	MDSYS	ANY Privilege	CREATE ANY LIBRARY
	MDSYS	ANY Privilege	CREATE ANY OPERATOR
	MDSYS	ANY Privilege	CREATE ANY OUTLINE
	MDSYS	ANY Privilege	CREATE ANY PROCEDURE
	MDSYS	ANY Privilege	CREATE ANY SECURITY PROFILE
	MDSYS	ANY Privilege	CREATE ANY SEQUENCE
	MDSYS	ANY Privilege	CREATE ANY SNAPSHOT
	MDSYS	ANY Privilege	CREATE ANY SYNONYM
	MDSYS	ANY Privilege	CREATE ANY TABLE
	MDSYS	ANY Privilege	CREATE ANY TRIGGER
	MDSYS	ANY Privilege	CREATE ANY TYPE
	MDSYS	ANY Privilege	CREATE ANY VIEW
	MDSYS	ANY Privilege	DELETE ANY TABLE
	MDSYS	ANY Privilege	DEQUEUE ANY QUEUE
	MDSYS	ANY Privilege	DROP ANY CLUSTER
	MDSYS	ANY Privilege	DROP ANY CONTEXT
	MDSYS	ANY Privilege	DROP ANY DIMENSION
	MDSYS	ANY Privilege	DROP ANY DIRECTORY
	MDSYS	ANY Privilege	DROP ANY INDEX
	MDSYS	ANY Privilege	DROP ANY INDEXTYPE
	MDSYS	ANY Privilege	DROP ANY LIBRARY
	MDSYS	ANY Privilege	DROP ANY OPERATOR
	MDSYS	ANY Privilege	DROP ANY OUTLINE
	MDSYS	ANY Privilege	DROP ANY PROCEDURE
	MDSYS	ANY Privilege	DROP ANY ROLE
	MDSYS	ANY Privilege	DROP ANY SEQUENCE
	MDSYS	ANY Privilege	DROP ANY SNAPSHOT
	MDSYS	ANY Privilege	DROP ANY SYNONYM
	MDSYS	ANY Privilege	DROP ANY TABLE
	MDSYS	ANY Privilege	DROP ANY TRIGGER
	MDSYS	ANY Privilege	DROP ANY TYPE
	MDSYS	ANY Privilege	DROP ANY VIEW
	MDSYS	ANY Privilege	ENQUEUE ANY QUEUE
	MDSYS	ANY Privilege	EXECUTE ANY INDEXTYPE
	MDSYS	ANY Privilege	EXECUTE ANY LIBRARY
	MDSYS	ANY Privilege	EXECUTE ANY OPERATOR
	MDSYS	ANY Privilege	EXECUTE ANY PROCEDURE
	MDSYS	ANY Privilege	EXECUTE ANY TYPE
	MDSYS	ANY Privilege	FORCE ANY TRANSACTION
	MDSYS	ANY Privilege	GRANT ANY PRIVILEGE
	MDSYS	ANY Privilege	GRANT ANY ROLE
	MDSYS	ANY Privilege	INSERT ANY TABLE
	MDSYS	ANY Privilege	LOCK ANY TABLE
	MDSYS	ANY Privilege	MANAGE ANY QUEUE
	MDSYS	ANY Privilege	SELECT ANY SEQUENCE
	MDSYS	ANY Privilege	SELECT ANY TABLE
	MDSYS	ANY Privilege	UNDER ANY TABLE
	MDSYS	ANY Privilege	UNDER ANY TYPE
	MDSYS	ANY Privilege	UNDER ANY VIEW
	MDSYS	ANY Privilege	UPDATE ANY TABLE
	OEM_MONITOR	ANY Privilege	SELECT ANY DICTIONARY
	OLAP_DBA	ANY Privilege	ALTER ANY DIMENSION
	OLAP_DBA	ANY Privilege	ALTER ANY TABLE
	OLAP_DBA	ANY Privilege	CREATE ANY DIMENSION
	OLAP_DBA	ANY Privilege	CREATE ANY INDEX
	OLAP_DBA	ANY Privilege	CREATE ANY TABLE
	OLAP_DBA	ANY Privilege	CREATE ANY VIEW
	OLAP_DBA	ANY Privilege	DROP ANY DIMENSION
	OLAP_DBA	ANY Privilege	DROP ANY TABLE
	OLAP_DBA	ANY Privilege	DROP ANY VIEW
	OLAP_DBA	ANY Privilege	LOCK ANY TABLE
	OLAP_DBA	ANY Privilege	SELECT ANY DICTIONARY
	OLAP_DBA	ANY Privilege	SELECT ANY TABLE
	ORDPLUGINS	ANY Privilege	CREATE ANY INDEXTYPE
	ORDPLUGINS	ANY Privilege	CREATE ANY OPERATOR
	ORDPLUGINS	ANY Privilege	CREATE ANY TABLE
	ORDPLUGINS	ANY Privilege	CREATE ANY TYPE
	ORDPLUGINS	ANY Privilege	DROP ANY INDEXTYPE
	ORDPLUGINS	ANY Privilege	DROP ANY OPERATOR
	ORDPLUGINS	ANY Privilege	DROP ANY TYPE
	ORDSYS	ANY Privilege	CREATE ANY INDEXTYPE
	ORDSYS	ANY Privilege	CREATE ANY OPERATOR
	ORDSYS	ANY Privilege	CREATE ANY TABLE
	ORDSYS	ANY Privilege	CREATE ANY TYPE
	ORDSYS	ANY Privilege	DROP ANY INDEXTYPE
	ORDSYS	ANY Privilege	DROP ANY OPERATOR
	ORDSYS	ANY Privilege	DROP ANY TYPE
	OUTLN	ANY Privilege	EXECUTE ANY PROCEDURE
	PM	ANY Privilege	CREATE ANY INDEX
	QS	ANY Privilege	ENQUEUE ANY QUEUE
	QS_ADM	ANY Privilege	DEQUEUE ANY QUEUE
	QS_ADM	ANY Privilege	ENQUEUE ANY QUEUE
	QS_ES	ANY Privilege	ENQUEUE ANY QUEUE
	QS_OS	ANY Privilege	ENQUEUE ANY QUEUE
	QS_WS	ANY Privilege	ENQUEUE ANY QUEUE
	SH	ANY Privilege	CREATE ANY DIRECTORY
	SH	ANY Privilege	DROP ANY DIRECTORY
	WKSYS	ANY Privilege	ALTER ANY CLUSTER
	WKSYS	ANY Privilege	ALTER ANY DIMENSION
	WKSYS	ANY Privilege	ALTER ANY INDEX
	WKSYS	ANY Privilege	ALTER ANY INDEXTYPE
	WKSYS	ANY Privilege	ALTER ANY LIBRARY
	WKSYS	ANY Privilege	ALTER ANY OUTLINE
	WKSYS	ANY Privilege	ALTER ANY PROCEDURE
	WKSYS	ANY Privilege	ALTER ANY ROLE
	WKSYS	ANY Privilege	ALTER ANY SECURITY PROFILE
	WKSYS	ANY Privilege	ALTER ANY SEQUENCE
	WKSYS	ANY Privilege	ALTER ANY SNAPSHOT
	WKSYS	ANY Privilege	ALTER ANY TABLE
	WKSYS	ANY Privilege	ALTER ANY TRIGGER
	WKSYS	ANY Privilege	ALTER ANY TYPE
	WKSYS	ANY Privilege	BACKUP ANY TABLE
	WKSYS	ANY Privilege	COMMENT ANY TABLE
	WKSYS	ANY Privilege	CREATE ANY CLUSTER
	WKSYS	ANY Privilege	CREATE ANY CONTEXT
	WKSYS	ANY Privilege	CREATE ANY DIMENSION
	WKSYS	ANY Privilege	CREATE ANY DIRECTORY
	WKSYS	ANY Privilege	CREATE ANY INDEX
	WKSYS	ANY Privilege	CREATE ANY INDEXTYPE
	WKSYS	ANY Privilege	CREATE ANY LIBRARY
	WKSYS	ANY Privilege	CREATE ANY OPERATOR
	WKSYS	ANY Privilege	CREATE ANY OUTLINE
	WKSYS	ANY Privilege	CREATE ANY PROCEDURE
	WKSYS	ANY Privilege	CREATE ANY SECURITY PROFILE
	WKSYS	ANY Privilege	CREATE ANY SEQUENCE
	WKSYS	ANY Privilege	CREATE ANY SNAPSHOT
	WKSYS	ANY Privilege	CREATE ANY SYNONYM
	WKSYS	ANY Privilege	CREATE ANY TABLE
	WKSYS	ANY Privilege	CREATE ANY TRIGGER
	WKSYS	ANY Privilege	CREATE ANY TYPE
	WKSYS	ANY Privilege	CREATE ANY VIEW
	WKSYS	ANY Privilege	DELETE ANY TABLE
	WKSYS	ANY Privilege	DEQUEUE ANY QUEUE
	WKSYS	ANY Privilege	DROP ANY CLUSTER
	WKSYS	ANY Privilege	DROP ANY CONTEXT
	WKSYS	ANY Privilege	DROP ANY DIMENSION
	WKSYS	ANY Privilege	DROP ANY DIRECTORY
	WKSYS	ANY Privilege	DROP ANY INDEX
	WKSYS	ANY Privilege	DROP ANY INDEXTYPE
	WKSYS	ANY Privilege	DROP ANY LIBRARY
	WKSYS	ANY Privilege	DROP ANY OPERATOR
	WKSYS	ANY Privilege	DROP ANY OUTLINE
	WKSYS	ANY Privilege	DROP ANY PROCEDURE
	WKSYS	ANY Privilege	DROP ANY ROLE
	WKSYS	ANY Privilege	DROP ANY SEQUENCE
	WKSYS	ANY Privilege	DROP ANY SNAPSHOT
	WKSYS	ANY Privilege	DROP ANY SYNONYM
	WKSYS	ANY Privilege	DROP ANY TABLE
	WKSYS	ANY Privilege	DROP ANY TRIGGER
	WKSYS	ANY Privilege	DROP ANY TYPE
	WKSYS	ANY Privilege	DROP ANY VIEW
	WKSYS	ANY Privilege	ENQUEUE ANY QUEUE
	WKSYS	ANY Privilege	EXECUTE ANY INDEXTYPE
	WKSYS	ANY Privilege	EXECUTE ANY LIBRARY
	WKSYS	ANY Privilege	EXECUTE ANY OPERATOR
	WKSYS	ANY Privilege	EXECUTE ANY PROCEDURE
	WKSYS	ANY Privilege	EXECUTE ANY TYPE
	WKSYS	ANY Privilege	FORCE ANY TRANSACTION
	WKSYS	ANY Privilege	GRANT ANY PRIVILEGE
	WKSYS	ANY Privilege	GRANT ANY ROLE
	WKSYS	ANY Privilege	INSERT ANY TABLE
	WKSYS	ANY Privilege	LOCK ANY TABLE
	WKSYS	ANY Privilege	MANAGE ANY QUEUE
	WKSYS	ANY Privilege	SELECT ANY SEQUENCE
	WKSYS	ANY Privilege	SELECT ANY TABLE
	WKSYS	ANY Privilege	UNDER ANY TABLE
	WKSYS	ANY Privilege	UNDER ANY TYPE
	WKSYS	ANY Privilege	UNDER ANY VIEW
	WKSYS	ANY Privilege	UPDATE ANY TABLE
	WKUSER	ANY Privilege	CREATE ANY DIRECTORY
	WKUSER	ANY Privilege	DROP ANY DIRECTORY

Solution:
To revoke such permissions execute the following statement: REVOKE [privilege] ON [object] FROM [grantee].

Description:
Object privileges give users the ability to modify or view the data stored in a table. In a system with many tables and objects, there is typically a complex set of privileges that must be assigned. To further complicate this issue, different users typically need a different set of privileges depending on the duties the user is responsible for.
Granting and revoking these complex set of privileges is error prone and difficult to manage. As users join and leave your organization, or even change duties in your organization, the job of correctly managing the privileges is tricky. Also, if the set of privileges ever changes slightly, applying the new change to all accounts is problematic.
A better way to deal with managing these privileges is to create roles that represent the duties a typical user may need. Privileges are then granted only to the roles, never to a specific user. The roles are then granted to the users that need them. Then when a user leaves a job and takes on a new duty, the only change that needs to occur is for the role granted to the user to be changed. Also, if the privileges ever change, they are changed on the role and automatically take effect for all users with the role.

CVE Reference No.: CVE-NO-MATCH

Severity	GRANTEE	COUNT(PRIVILEGE)
	AURORA$JIS$UTILITY$	2
	CTXSYS	30
	HR	1
	MDSYS	25
	OE	10
	OLAPDBA	2
	OLAPSYS	18
	ORDSYS	11
	OSE$HTTP$ADMIN	2
	OUTLN	1
	PM	9
	QS	7
	QS_ADM	8
	QS_CB	9
	QS_CBADM	7
	QS_CS	6
	QS_ES	7
	QS_OS	7
	QS_WS	7
	SH	5
	SYS	25
	SYSTEM	41
	WKSYS	13

Solution:
Revoke all privileges granted directly to a user. Then create a role, grant all the privileges required to the role, and then grant the role to the users that require the privileges.
To revoke privileges from accounts, use the following command:
REVOKE [privilege] FROM [account name]

To create a role, use the following command:
CREATE ROLE [role name]

To grant a privilege to a role, use the following command:
GRANT [privilege] TO [role name]

To grant a role to a user, use the following command:
GRANT [role name] TO [user name]

Description:
This check shows the number of object privileges granted to PUBLIC. Check for object permissions granted to PUBLIC. Permissions on objects may be granted to users and roles and to the user group PUBLIC. Because every database user is a member of the PUBLIC group, granting object permissions to PUBLIC gives all users in the database access to that object. In a secure environment, granting object permissions to PUBLIC should be restricted to those objects that all users are allowed to access.

CVE Reference No.: CVE-NO-MATCH

Severity	OBJECTPRIVILEGESTOPUBLIC	COUNT(*)
	Object privileges to PUBLIC	13376

Solution:
To revoke permissions from PUBLIC, execute the following statement: REVOKE [privilege] ON [object] FROM PUBLIC.

Description:
Check for accounts or roles besides SYS and SYSTEM which have been granted access to select from the data dictionary.
The Oracle database dictionary is contained in a number of objects owned by SYS and SYSTEM. The information stored in the database dictionary is very sensitive and access to it should be restricted.

CVE Reference No.: CVE-NO-MATCH

Severity	GRANTEE	PRIVILEGE	ADMIN_OPTION
	DBA	SELECT ANY DICTIONARY	YES
	DBSNMP	SELECT ANY DICTIONARY	NO
	OEM_MONITOR	SELECT ANY DICTIONARY	NO
	OLAP_DBA	SELECT ANY DICTIONARY	NO

Solution:
You should revoke access on any system tables.

To revoke access, execute the following command:
REVOKE [privilege] ON [object] FROM [user or role]

Description:
Check that privileges to execute the SYS.DBMS_RANDOM package have not been granted to the PUBLIC role.
Oracle provides a package that allows users to generate pseudo-random numbers in PL/SQL. Its use is discouraged since it does not generate cryptographically strong random numbers. By default, privileges to execute this function are granted to the PUBLIC role, allowing all users to execute the functions in the package.

CVE Reference No.: CVE-NO-MATCH

Severity	GRANTEE	PRIVILEGE	TABLE_NAME	GRANTOR
	PUBLIC	EXECUTE	DBMS_RANDOM	SYS

Solution:
Revoke privileges to execute the SYS.DBMS_RANDOM package from the PUBLIC role. Grant privileges to execute the package only to those specific accounts that need to execute the package.

Revoke the privileges using the following command:
REVOKE EXECUTE ON SYS.DBMS_RANDOM FROM PUBLIC

Description:
Check that privileges to execute the SYS.UTL_HTTP package have not been granted to the PUBLIC role. Oracle provides a package that allows HTTP requests and responses to be sent from within PL/SQL. Many attacks against databases use functions such as UTL_HTTP to extract data from a database and funnel it through a firewall. By default, privileges to execute this function are granted to the PUBLIC role, allowing all users to execute the functions in the package.

CVE Reference No.: CVE-NO-MATCH

Severity	GRANTEE	PRIVILEGE	TABLE_NAME	GRANTOR
	PUBLIC	EXECUTE	UTL_HTTP	SYS

Solution:
Revoke privileges to execute the SYS.UTL_HTTP package from the PUBLIC role. Grant privileges to execute the package only to those specific accounts that need to execute the package.

Revoke the privileges using the following command:
REVOKE EXECUTE ON SYS.UTL_HTTP FROM PUBLIC

Description:
Check that permissions to execute the SYS.UTL_SMTP package have not been granted to the PUBLIC role. Oracle provides a package that allows email to be sent from within PL/SQL. Many attacks against databases use functions such as UTL_SMTP to extract data from a database. By default, permissions to execute this function are granted to the PUBLIC role, allowing all users to execute the functions in the package.

CVE Reference No.: CVE-NO-MATCH

Severity	GRANTEE	PRIVILEGE	TABLE_NAME	GRANTOR
	PUBLIC	EXECUTE	UTL_SMTP	SYS

Solution:
Revoke privileges to execute the SYS.UTL_SMTP package from the PUBLIC role. Grant privileges to execute the package only to those specific accounts that need to execute the package.

Revoke the privileges using the following command:
REVOKE EXECUTE ON SYS.UTL_SMTP FROM PUBLIC

Description:
Check that privileges to execute the SYS.UTL_TCP package have not been granted to the PUBLIC role. Oracle provides a package that allows PL/SQL applications to communicate with external TCP/IP-based servers using TCP/IPTCP connections. Many attacks against databases use functions such as UTL_TCP to extract data from a database and funnel it through a firewall. By default, privileges to execute this function are granted to the PUBLIC role, allowing all users to execute the functions in the package.

CVE Reference No.: CVE-NO-MATCH

Severity	GRANTEE	PRIVILEGE	TABLE_NAME	GRANTOR
	PUBLIC	EXECUTE	UTL_TCP	SYS

Solution:
Revoke privileges to execute the SYS.UTL_TCP package from the PUBLIC role. Grant privileges to execute the package only to those specific accounts that need to execute the package.

Revoke the privileges using the following command:
REVOKE EXECUTE ON SYS.UTL_TCP FROM PUBLIC

Description:
Check that privileges having the WITH ADMIN OPTION have not been granted. Revoking system privileges having the WITH ADMIN OPTION does not revoke those privileges from other accounts that have been given the privilege by the account being revoked. This makes revoking system privileges that were granted WITH ADMIN OPTION difficult as the privilege can be given to an account and then granted back after it is revoked.

CVE Reference No.: CVE-NO-MATCH

Severity	GRANTEE	ADMIN_OPTION	PRIVILEGE
	AQ_ADMINISTRATOR_ROLE	YES	DEQUEUE ANY QUEUE
	AQ_ADMINISTRATOR_ROLE	YES	ENQUEUE ANY QUEUE
	AQ_ADMINISTRATOR_ROLE	YES	MANAGE ANY QUEUE
	DBA	YES	ADMINISTER DATABASE TRIGGER
	DBA	YES	ADMINISTER RESOURCE MANAGER
	DBA	YES	ADMINISTER SECURITY
	DBA	YES	ALTER ANY CLUSTER
	DBA	YES	ALTER ANY DIMENSION
	DBA	YES	ALTER ANY INDEX
	DBA	YES	ALTER ANY INDEXTYPE
	DBA	YES	ALTER ANY LIBRARY
	DBA	YES	ALTER ANY OUTLINE
	DBA	YES	ALTER ANY PROCEDURE
	DBA	YES	ALTER ANY ROLE
	DBA	YES	ALTER ANY SECURITY PROFILE
	DBA	YES	ALTER ANY SEQUENCE
	DBA	YES	ALTER ANY SNAPSHOT
	DBA	YES	ALTER ANY TABLE
	DBA	YES	ALTER ANY TRIGGER
	DBA	YES	ALTER ANY TYPE
	DBA	YES	ALTER DATABASE
	DBA	YES	ALTER PROFILE
	DBA	YES	ALTER RESOURCE COST
	DBA	YES	ALTER ROLLBACK SEGMENT
	DBA	YES	ALTER SESSION
	DBA	YES	ALTER SYSTEM
	DBA	YES	ALTER TABLESPACE
	DBA	YES	ALTER USER
	DBA	YES	ANALYZE ANY
	DBA	YES	AUDIT ANY
	DBA	YES	AUDIT SYSTEM
	DBA	YES	BACKUP ANY TABLE
	DBA	YES	BECOME USER
	DBA	YES	COMMENT ANY TABLE
	DBA	YES	CREATE ANY CLUSTER
	DBA	YES	CREATE ANY CONTEXT
	DBA	YES	CREATE ANY DIMENSION
	DBA	YES	CREATE ANY DIRECTORY
	DBA	YES	CREATE ANY INDEX
	DBA	YES	CREATE ANY INDEXTYPE
	DBA	YES	CREATE ANY LIBRARY
	DBA	YES	CREATE ANY OPERATOR
	DBA	YES	CREATE ANY OUTLINE
	DBA	YES	CREATE ANY PROCEDURE
	DBA	YES	CREATE ANY SECURITY PROFILE
	DBA	YES	CREATE ANY SEQUENCE
	DBA	YES	CREATE ANY SNAPSHOT
	DBA	YES	CREATE ANY SYNONYM
	DBA	YES	CREATE ANY TABLE
	DBA	YES	CREATE ANY TRIGGER
	DBA	YES	CREATE ANY TYPE
	DBA	YES	CREATE ANY VIEW
	DBA	YES	CREATE CLUSTER
	DBA	YES	CREATE DATABASE LINK
	DBA	YES	CREATE DIMENSION
	DBA	YES	CREATE INDEXTYPE
	DBA	YES	CREATE LIBRARY
	DBA	YES	CREATE OPERATOR
	DBA	YES	CREATE PROCEDURE
	DBA	YES	CREATE PROFILE
	DBA	YES	CREATE PUBLIC DATABASE LINK
	DBA	YES	CREATE PUBLIC SYNONYM
	DBA	YES	CREATE ROLE
	DBA	YES	CREATE ROLLBACK SEGMENT
	DBA	YES	CREATE SECURITY PROFILE
	DBA	YES	CREATE SEQUENCE
	DBA	YES	CREATE SESSION
	DBA	YES	CREATE SNAPSHOT
	DBA	YES	CREATE SYNONYM
	DBA	YES	CREATE TABLE
	DBA	YES	CREATE TABLESPACE
	DBA	YES	CREATE TRIGGER
	DBA	YES	CREATE TYPE
	DBA	YES	CREATE USER
	DBA	YES	CREATE VIEW
	DBA	YES	DELETE ANY TABLE
	DBA	YES	DEQUEUE ANY QUEUE
	DBA	YES	DROP ANY CLUSTER
	DBA	YES	DROP ANY CONTEXT
	DBA	YES	DROP ANY DIMENSION
	DBA	YES	DROP ANY DIRECTORY
	DBA	YES	DROP ANY INDEX
	DBA	YES	DROP ANY INDEXTYPE
	DBA	YES	DROP ANY LIBRARY
	DBA	YES	DROP ANY OPERATOR
	DBA	YES	DROP ANY OUTLINE
	DBA	YES	DROP ANY PROCEDURE
	DBA	YES	DROP ANY ROLE
	DBA	YES	DROP ANY SEQUENCE
	DBA	YES	DROP ANY SNAPSHOT
	DBA	YES	DROP ANY SYNONYM
	DBA	YES	DROP ANY TABLE
	DBA	YES	DROP ANY TRIGGER
	DBA	YES	DROP ANY TYPE
	DBA	YES	DROP ANY VIEW
	DBA	YES	DROP PROFILE
	DBA	YES	DROP PUBLIC DATABASE LINK
	DBA	YES	DROP PUBLIC SYNONYM
	DBA	YES	DROP ROLLBACK SEGMENT
	DBA	YES	DROP TABLESPACE
	DBA	YES	DROP USER
	DBA	YES	ENQUEUE ANY QUEUE
	DBA	YES	EXECUTE ANY INDEXTYPE
	DBA	YES	EXECUTE ANY LIBRARY
	DBA	YES	EXECUTE ANY OPERATOR
	DBA	YES	EXECUTE ANY PROCEDURE
	DBA	YES	EXECUTE ANY TYPE
	DBA	YES	FORCE ANY TRANSACTION
	DBA	YES	FORCE TRANSACTION
	DBA	YES	GLOBAL QUERY REWRITE
	DBA	YES	GRANT ANY PRIVILEGE
	DBA	YES	GRANT ANY ROLE
	DBA	YES	INSERT ANY TABLE
	DBA	YES	LOCK ANY TABLE
	DBA	YES	MANAGE ANY QUEUE
	DBA	YES	MANAGE TABLESPACE
	DBA	YES	ON COMMIT REFRESH
	DBA	YES	QUERY REWRITE
	DBA	YES	RESTRICTED SESSION
	DBA	YES	RESUMABLE
	DBA	YES	SELECT ANY DICTIONARY
	DBA	YES	SELECT ANY SEQUENCE
	DBA	YES	SELECT ANY TABLE
	DBA	YES	UNDER ANY TABLE
	DBA	YES	UNDER ANY TYPE
	DBA	YES	UNDER ANY VIEW
	DBA	YES	UPDATE ANY TABLE
	MDSYS	YES	ADMINISTER DATABASE TRIGGER
	MDSYS	YES	ADMINISTER RESOURCE MANAGER
	MDSYS	YES	ADMINISTER SECURITY
	MDSYS	YES	ALTER ANY CLUSTER
	MDSYS	YES	ALTER ANY DIMENSION
	MDSYS	YES	ALTER ANY INDEX
	MDSYS	YES	ALTER ANY INDEXTYPE
	MDSYS	YES	ALTER ANY LIBRARY
	MDSYS	YES	ALTER ANY OUTLINE
	MDSYS	YES	ALTER ANY PROCEDURE
	MDSYS	YES	ALTER ANY ROLE
	MDSYS	YES	ALTER ANY SECURITY PROFILE
	MDSYS	YES	ALTER ANY SEQUENCE
	MDSYS	YES	ALTER ANY SNAPSHOT
	MDSYS	YES	ALTER ANY TABLE
	MDSYS	YES	ALTER ANY TRIGGER
	MDSYS	YES	ALTER ANY TYPE
	MDSYS	YES	ALTER DATABASE
	MDSYS	YES	ALTER PROFILE
	MDSYS	YES	ALTER RESOURCE COST
	MDSYS	YES	ALTER ROLLBACK SEGMENT
	MDSYS	YES	ALTER SESSION
	MDSYS	YES	ALTER SYSTEM
	MDSYS	YES	ALTER TABLESPACE
	MDSYS	YES	ALTER USER
	MDSYS	YES	ANALYZE ANY
	MDSYS	YES	AUDIT ANY
	MDSYS	YES	AUDIT SYSTEM
	MDSYS	YES	BACKUP ANY TABLE
	MDSYS	YES	BECOME USER
	MDSYS	YES	COMMENT ANY TABLE
	MDSYS	YES	CREATE ANY CLUSTER
	MDSYS	YES	CREATE ANY CONTEXT
	MDSYS	YES	CREATE ANY DIMENSION
	MDSYS	YES	CREATE ANY DIRECTORY
	MDSYS	YES	CREATE ANY INDEX
	MDSYS	YES	CREATE ANY INDEXTYPE
	MDSYS	YES	CREATE ANY LIBRARY
	MDSYS	YES	CREATE ANY OPERATOR
	MDSYS	YES	CREATE ANY OUTLINE
	MDSYS	YES	CREATE ANY PROCEDURE
	MDSYS	YES	CREATE ANY SECURITY PROFILE
	MDSYS	YES	CREATE ANY SEQUENCE
	MDSYS	YES	CREATE ANY SNAPSHOT
	MDSYS	YES	CREATE ANY SYNONYM
	MDSYS	YES	CREATE ANY TABLE
	MDSYS	YES	CREATE ANY TRIGGER
	MDSYS	YES	CREATE ANY TYPE
	MDSYS	YES	CREATE ANY VIEW
	MDSYS	YES	CREATE CLUSTER
	MDSYS	YES	CREATE DATABASE LINK
	MDSYS	YES	CREATE DIMENSION
	MDSYS	YES	CREATE INDEXTYPE
	MDSYS	YES	CREATE LIBRARY
	MDSYS	YES	CREATE OPERATOR
	MDSYS	YES	CREATE PROCEDURE
	MDSYS	YES	CREATE PROFILE
	MDSYS	YES	CREATE PUBLIC DATABASE LINK
	MDSYS	YES	CREATE PUBLIC SYNONYM
	MDSYS	YES	CREATE ROLE
	MDSYS	YES	CREATE ROLLBACK SEGMENT
	MDSYS	YES	CREATE SECURITY PROFILE
	MDSYS	YES	CREATE SEQUENCE
	MDSYS	YES	CREATE SESSION
	MDSYS	YES	CREATE SNAPSHOT
	MDSYS	YES	CREATE SYNONYM
	MDSYS	YES	CREATE TABLE
	MDSYS	YES	CREATE TABLESPACE
	MDSYS	YES	CREATE TRIGGER
	MDSYS	YES	CREATE TYPE
	MDSYS	YES	CREATE USER
	MDSYS	YES	CREATE VIEW
	MDSYS	YES	DELETE ANY TABLE
	MDSYS	YES	DEQUEUE ANY QUEUE
	MDSYS	YES	DROP ANY CLUSTER
	MDSYS	YES	DROP ANY CONTEXT
	MDSYS	YES	DROP ANY DIMENSION
	MDSYS	YES	DROP ANY DIRECTORY
	MDSYS	YES	DROP ANY INDEX
	MDSYS	YES	DROP ANY INDEXTYPE
	MDSYS	YES	DROP ANY LIBRARY
	MDSYS	YES	DROP ANY OPERATOR
	MDSYS	YES	DROP ANY OUTLINE
	MDSYS	YES	DROP ANY PROCEDURE
	MDSYS	YES	DROP ANY ROLE
	MDSYS	YES	DROP ANY SEQUENCE
	MDSYS	YES	DROP ANY SNAPSHOT
	MDSYS	YES	DROP ANY SYNONYM
	MDSYS	YES	DROP ANY TABLE
	MDSYS	YES	DROP ANY TRIGGER
	MDSYS	YES	DROP ANY TYPE
	MDSYS	YES	DROP ANY VIEW
	MDSYS	YES	DROP PROFILE
	MDSYS	YES	DROP PUBLIC DATABASE LINK
	MDSYS	YES	DROP PUBLIC SYNONYM
	MDSYS	YES	DROP ROLLBACK SEGMENT
	MDSYS	YES	DROP TABLESPACE
	MDSYS	YES	DROP USER
	MDSYS	YES	ENQUEUE ANY QUEUE
	MDSYS	YES	EXECUTE ANY INDEXTYPE
	MDSYS	YES	EXECUTE ANY LIBRARY
	MDSYS	YES	EXECUTE ANY OPERATOR
	MDSYS	YES	EXECUTE ANY PROCEDURE
	MDSYS	YES	EXECUTE ANY TYPE
	MDSYS	YES	FORCE ANY TRANSACTION
	MDSYS	YES	FORCE TRANSACTION
	MDSYS	YES	GLOBAL QUERY REWRITE
	MDSYS	YES	GRANT ANY PRIVILEGE
	MDSYS	YES	GRANT ANY ROLE
	MDSYS	YES	INSERT ANY TABLE
	MDSYS	YES	LOCK ANY TABLE
	MDSYS	YES	MANAGE ANY QUEUE
	MDSYS	YES	MANAGE TABLESPACE
	MDSYS	YES	ON COMMIT REFRESH
	MDSYS	YES	QUERY REWRITE
	MDSYS	YES	RESTRICTED SESSION
	MDSYS	YES	RESUMABLE
	MDSYS	YES	SELECT ANY SEQUENCE
	MDSYS	YES	SELECT ANY TABLE
	MDSYS	YES	UNDER ANY TABLE
	MDSYS	YES	UNDER ANY TYPE
	MDSYS	YES	UNDER ANY VIEW
	MDSYS	YES	UNLIMITED TABLESPACE
	MDSYS	YES	UPDATE ANY TABLE
	SYS	YES	DEQUEUE ANY QUEUE
	SYS	YES	ENQUEUE ANY QUEUE
	SYS	YES	MANAGE ANY QUEUE
	SYS	YES	SELECT ANY TABLE
	SYSTEM	YES	UNLIMITED TABLESPACE

Solution:
To revoke the WITH ADMIN OPTION, you must revoke and re-grant the privilege without the WITH ADMIN OPTION.

Description:
Check for object privileges granted using the WITH GRANT OPTION. A user having object privileges with the GRANT OPTION can grant privileges to other users just as if he were the owner of the object. Use of the WITH GRANT OPTION may not be appropriate in certain database environments and use of this option should be limited to security administrators.

CVE Reference No.: CVE-NO-MATCH

Severity	GRANTEE	GRANTABLE	GRANTOR	TABLE_NAME
	SYS	YES	SYSTEM	MVIEW_WORKLOAD
	SYS	YES	SYSTEM	MVIEW_WORKLOAD
	SYS	YES	SYSTEM	MVIEW_FILTER
	SYS	YES	SYSTEM	MVIEW_FILTER
	SYS	YES	SYSTEM	MVIEW_LOG
	SYS	YES	SYSTEM	MVIEW_LOG
	SYS	YES	SYSTEM	MVIEW_FILTERINSTANCE
	SYS	YES	SYSTEM	MVIEW_FILTERINSTANCE
	SYS	YES	SYSTEM	MVIEW_RECOMMENDATIONS
	SYS	YES	SYSTEM	MVIEW_RECOMMENDATIONS
	SYS	YES	SYSTEM	MVIEW_EVALUATIONS
	SYS	YES	SYSTEM	MVIEW_EVALUATIONS
	SYS	YES	SYSTEM	MVIEW_EXCEPTIONS
	SYS	YES	SYSTEM	MVIEW_EXCEPTIONS
	SYS	YES	SYSTEM	DEF$_AQCALL
	SYS	YES	SYSTEM	DEF$_ERROR
	SYS	YES	SYSTEM	DEF$_DESTINATION
	SYS	YES	SYSTEM	DEF$_CALLDEST
	SYS	YES	SYSTEM	DEF$_LOB
	SYS	YES	SYSTEM	DEF$_TEMP$LOB
	SYS	YES	SYSTEM	DEF$_TEMP$LOB
	SYS	YES	SYSTEM	DEF$_TEMP$LOB
	SYS	YES	SYSTEM	DEF$_TEMP$LOB
	SYS	YES	SYSTEM	REPCAT$_REPSCHEMA
	SYS	YES	SYSTEM	REPCAT$_REPPROP
	PUBLIC	YES	SYS	DUAL
	PUBLIC	YES	SYS	SYSTEM_PRIVILEGE_MAP
	PUBLIC	YES	SYS	TABLE_PRIVILEGE_MAP
	PUBLIC	YES	SYS	SESSION_PRIVS
	PUBLIC	YES	SYS	SESSION_ROLES
	PUBLIC	YES	SYS	ROLE_SYS_PRIVS
	PUBLIC	YES	SYS	ROLE_TAB_PRIVS
	PUBLIC	YES	SYS	ROLE_ROLE_PRIVS
	PUBLIC	YES	SYS	USER_RESOURCE_LIMITS
	PUBLIC	YES	SYS	USER_PASSWORD_LIMITS
	PUBLIC	YES	SYS	USER_CATALOG
	PUBLIC	YES	SYS	ALL_CATALOG
	PUBLIC	YES	SYS	USER_CLUSTERS
	PUBLIC	YES	SYS	ALL_CLUSTERS
	PUBLIC	YES	SYS	USER_CLU_COLUMNS
	PUBLIC	YES	SYS	USER_COL_COMMENTS
	PUBLIC	YES	SYS	ALL_COL_COMMENTS
	PUBLIC	YES	SYS	USER_COL_PRIVS
	PUBLIC	YES	SYS	ALL_COL_PRIVS
	PUBLIC	YES	SYS	USER_COL_PRIVS_MADE
	PUBLIC	YES	SYS	ALL_COL_PRIVS_MADE
	PUBLIC	YES	SYS	USER_COL_PRIVS_RECD
	PUBLIC	YES	SYS	ALL_COL_PRIVS_RECD
	PUBLIC	YES	SYS	USER_DB_LINKS
	PUBLIC	YES	SYS	ALL_DB_LINKS
	PUBLIC	YES	SYS	DICTIONARY
	PUBLIC	YES	SYS	DICT_COLUMNS
	PUBLIC	YES	SYS	USER_INDEXES
	PUBLIC	YES	SYS	ALL_INDEXES
	PUBLIC	YES	SYS	USER_IND_COLUMNS
	PUBLIC	YES	SYS	ALL_IND_COLUMNS
	PUBLIC	YES	SYS	USER_IND_EXPRESSIONS
	PUBLIC	YES	SYS	ALL_IND_EXPRESSIONS
	PUBLIC	YES	SYS	INDEX_STATS
	PUBLIC	YES	SYS	INDEX_HISTOGRAM
	PUBLIC	YES	SYS	USER_JOIN_IND_COLUMNS
	PUBLIC	YES	SYS	ALL_JOIN_IND_COLUMNS
	PUBLIC	YES	SYS	USER_OBJECTS
	PUBLIC	YES	SYS	ALL_OBJECTS
	PUBLIC	YES	SYS	USER_PROCEDURES
	PUBLIC	YES	SYS	ALL_PROCEDURES
	PUBLIC	YES	SYS	DBA_PROCEDURES
	PUBLIC	YES	SYS	ALL_STORED_SETTINGS
	PUBLIC	YES	SYS	USER_STORED_SETTINGS
	PUBLIC	YES	SYS	ALL_ARGUMENTS
	PUBLIC	YES	SYS	USER_ARGUMENTS
	PUBLIC	YES	SYS	USER_RESUMABLE
	PUBLIC	YES	SYS	USER_ROLE_PRIVS
	PUBLIC	YES	SYS	USER_SYS_PRIVS
	PUBLIC	YES	SYS	USER_SEQUENCES
	PUBLIC	YES	SYS	ALL_SEQUENCES
	PUBLIC	YES	SYS	USER_SYNONYMS
	PUBLIC	YES	SYS	ALL_SYNONYMS
	PUBLIC	YES	SYS	USER_TABLES
	PUBLIC	YES	SYS	USER_OBJECT_TABLES
	PUBLIC	YES	SYS	USER_ALL_TABLES
	PUBLIC	YES	SYS	ALL_TABLES
	PUBLIC	YES	SYS	ALL_OBJECT_TABLES
	PUBLIC	YES	SYS	ALL_ALL_TABLES
	PUBLIC	YES	SYS	USER_TAB_COLS
	PUBLIC	YES	SYS	ALL_TAB_COLS
	PUBLIC	YES	SYS	USER_TAB_COLUMNS
	PUBLIC	YES	SYS	ALL_TAB_COLUMNS
	PUBLIC	YES	SYS	USER_TAB_COL_STATISTICS
	PUBLIC	YES	SYS	ALL_TAB_COL_STATISTICS
	PUBLIC	YES	SYS	USER_TAB_HISTOGRAMS
	PUBLIC	YES	SYS	ALL_TAB_HISTOGRAMS
	PUBLIC	YES	SYS	USER_TAB_COMMENTS
	PUBLIC	YES	SYS	ALL_TAB_COMMENTS
	PUBLIC	YES	SYS	USER_TAB_PRIVS
	PUBLIC	YES	SYS	ALL_TAB_PRIVS
	PUBLIC	YES	SYS	USER_TAB_PRIVS_MADE
	PUBLIC	YES	SYS	ALL_TAB_PRIVS_MADE
	PUBLIC	YES	SYS	USER_TAB_PRIVS_RECD
	PUBLIC	YES	SYS	ALL_TAB_PRIVS_RECD
	PUBLIC	YES	SYS	USER_TS_QUOTAS
	PUBLIC	YES	SYS	USER_USERS
	PUBLIC	YES	SYS	ALL_USERS
	PUBLIC	YES	SYS	USER_PROXIES
	PUBLIC	YES	SYS	USER_VIEWS
	PUBLIC	YES	SYS	ALL_VIEWS
	PUBLIC	YES	SYS	USER_CONSTRAINTS
	PUBLIC	YES	SYS	ALL_CONSTRAINTS
	PUBLIC	YES	SYS	USER_LOG_GROUPS
	PUBLIC	YES	SYS	ALL_LOG_GROUPS
	PUBLIC	YES	SYS	USER_CLUSTER_HASH_EXPRESSIONS
	PUBLIC	YES	SYS	ALL_CLUSTER_HASH_EXPRESSIONS
	PUBLIC	YES	SYS	USER_CONS_COLUMNS
	PUBLIC	YES	SYS	ALL_CONS_COLUMNS
	PUBLIC	YES	SYS	USER_LOG_GROUP_COLUMNS
	PUBLIC	YES	SYS	ALL_LOG_GROUP_COLUMNS
	PUBLIC	YES	SYS	NLS_SESSION_PARAMETERS
	PUBLIC	YES	SYS	NLS_INSTANCE_PARAMETERS
	PUBLIC	YES	SYS	NLS_DATABASE_PARAMETERS
	PUBLIC	YES	SYS	DATABASE_COMPATIBLE_LEVEL
	PUBLIC	YES	SYS	DATABASE_PROPERTIES
	PUBLIC	YES	SYS	SYSCATALOG
	PUBLIC	YES	SYS	CATALOG
	PUBLIC	YES	SYS	TAB
	PUBLIC	YES	SYS	COL
	PUBLIC	YES	SYS	SYSSEGOBJ
	PUBLIC	YES	SYS	TABQUOTAS
	PUBLIC	YES	SYS	SYSFILES
	PUBLIC	YES	SYS	SYNONYMS
	PUBLIC	YES	SYS	PUBLICSYN
	PUBLIC	YES	SYS	GLOBAL_NAME
	PUBLIC	YES	SYS	PRODUCT_COMPONENT_VERSION
	PUBLIC	YES	SYS	USER_UPDATABLE_COLUMNS
	PUBLIC	YES	SYS	ALL_UPDATABLE_COLUMNS
	PUBLIC	YES	SYS	USER_LOBS
	PUBLIC	YES	SYS	ALL_LOBS
	PUBLIC	YES	SYS	ALL_DIRECTORIES
	PUBLIC	YES	SYS	USER_LIBRARIES
	PUBLIC	YES	SYS	ALL_LIBRARIES
	PUBLIC	YES	SYS	USER_REFS
	PUBLIC	YES	SYS	ALL_REFS
	PUBLIC	YES	SYS	USER_NESTED_TABLES
	PUBLIC	YES	SYS	ALL_NESTED_TABLES
	PUBLIC	YES	SYS	USER_VARRAYS
	PUBLIC	YES	SYS	ALL_VARRAYS
	PUBLIC	YES	SYS	ALL_SUMDELTA
	PUBLIC	YES	SYS	ALL_OPERATORS
	PUBLIC	YES	SYS	USER_OPERATORS
	PUBLIC	YES	SYS	USER_OPBINDINGS
	PUBLIC	YES	SYS	ALL_OPBINDINGS
	PUBLIC	YES	SYS	USER_OPANCILLARY
	PUBLIC	YES	SYS	ALL_OPANCILLARY
	PUBLIC	YES	SYS	USER_OPARGUMENTS
	PUBLIC	YES	SYS	ALL_OPARGUMENTS
	PUBLIC	YES	SYS	USER_INDEXTYPES
	PUBLIC	YES	SYS	ALL_INDEXTYPES
	PUBLIC	YES	SYS	USER_INDEXTYPE_OPERATORS
	PUBLIC	YES	SYS	ALL_INDEXTYPE_OPERATORS
	PUBLIC	YES	SYS	USER_UNUSED_COL_TABS
	PUBLIC	YES	SYS	ALL_UNUSED_COL_TABS
	PUBLIC	YES	SYS	USER_PARTIAL_DROP_TABS
	PUBLIC	YES	SYS	ALL_PARTIAL_DROP_TABS
	PUBLIC	YES	SYS	USER_ASSOCIATIONS
	PUBLIC	YES	SYS	ALL_ASSOCIATIONS
	PUBLIC	YES	SYS	USER_USTATS
	PUBLIC	YES	SYS	ALL_USTATS
	PUBLIC	YES	SYS	USER_TAB_MODIFICATIONS
	PUBLIC	YES	SYS	ALL_TAB_MODIFICATIONS
	PUBLIC	YES	SYS	USER_PART_TABLES
	PUBLIC	YES	SYS	ALL_PART_TABLES
	PUBLIC	YES	SYS	USER_PART_INDEXES
	PUBLIC	YES	SYS	ALL_PART_INDEXES
	PUBLIC	YES	SYS	USER_PART_KEY_COLUMNS
	PUBLIC	YES	SYS	ALL_PART_KEY_COLUMNS
	PUBLIC	YES	SYS	USER_TAB_PARTITIONS
	PUBLIC	YES	SYS	ALL_TAB_PARTITIONS
	PUBLIC	YES	SYS	USER_IND_PARTITIONS
	PUBLIC	YES	SYS	ALL_IND_PARTITIONS
	PUBLIC	YES	SYS	USER_TAB_SUBPARTITIONS
	PUBLIC	YES	SYS	ALL_TAB_SUBPARTITIONS
	PUBLIC	YES	SYS	USER_IND_SUBPARTITIONS
	PUBLIC	YES	SYS	ALL_IND_SUBPARTITIONS
	PUBLIC	YES	SYS	USER_PART_COL_STATISTICS
	PUBLIC	YES	SYS	ALL_PART_COL_STATISTICS
	PUBLIC	YES	SYS	USER_PART_HISTOGRAMS
	PUBLIC	YES	SYS	ALL_PART_HISTOGRAMS
	PUBLIC	YES	SYS	USER_SUBPART_COL_STATISTICS
	PUBLIC	YES	SYS	ALL_SUBPART_COL_STATISTICS
	PUBLIC	YES	SYS	USER_SUBPART_HISTOGRAMS
	PUBLIC	YES	SYS	ALL_SUBPART_HISTOGRAMS
	PUBLIC	YES	SYS	USER_SUBPART_KEY_COLUMNS
	PUBLIC	YES	SYS	ALL_SUBPART_KEY_COLUMNS
	PUBLIC	YES	SYS	USER_PART_LOBS
	PUBLIC	YES	SYS	ALL_PART_LOBS
	PUBLIC	YES	SYS	USER_LOB_PARTITIONS
	PUBLIC	YES	SYS	ALL_LOB_PARTITIONS
	PUBLIC	YES	SYS	USER_LOB_SUBPARTITIONS
	PUBLIC	YES	SYS	ALL_LOB_SUBPARTITIONS
	PUBLIC	YES	SYS	USER_TYPES
	PUBLIC	YES	SYS	ALL_TYPES
	PUBLIC	YES	SYS	USER_COLL_TYPES
	PUBLIC	YES	SYS	ALL_COLL_TYPES
	PUBLIC	YES	SYS	USER_TYPE_ATTRS
	PUBLIC	YES	SYS	ALL_TYPE_ATTRS
	PUBLIC	YES	SYS	USER_TYPE_METHODS
	PUBLIC	YES	SYS	ALL_TYPE_METHODS
	PUBLIC	YES	SYS	USER_METHOD_PARAMS
	PUBLIC	YES	SYS	ALL_METHOD_PARAMS
	PUBLIC	YES	SYS	USER_METHOD_RESULTS
	PUBLIC	YES	SYS	ALL_METHOD_RESULTS
	PUBLIC	YES	SYS	USER_SQLJ_TYPES
	PUBLIC	YES	SYS	ALL_SQLJ_TYPES
	PUBLIC	YES	SYS	USER_TYPE_VERSIONS
	PUBLIC	YES	SYS	ALL_TYPE_VERSIONS
	PUBLIC	YES	SYS	USER_PENDING_CONV_TABLES
	PUBLIC	YES	SYS	ALL_PENDING_CONV_TABLES
	PUBLIC	YES	SYS	USER_SQLJ_TYPE_ATTRS
	PUBLIC	YES	SYS	ALL_SQLJ_TYPE_ATTRS
	PUBLIC	YES	SYS	USER_SQLJ_TYPE_METHODS
	PUBLIC	YES	SYS	ALL_SQLJ_TYPE_METHODS
	PUBLIC	YES	SYS	ALL_DIMENSIONS
	PUBLIC	YES	SYS	USER_DIMENSIONS
	PUBLIC	YES	SYS	ALL_DIM_LEVELS
	PUBLIC	YES	SYS	USER_DIM_LEVELS
	PUBLIC	YES	SYS	ALL_DIM_LEVEL_KEY
	PUBLIC	YES	SYS	USER_DIM_LEVEL_KEY
	PUBLIC	YES	SYS	ALL_DIM_ATTRIBUTES
	PUBLIC	YES	SYS	USER_DIM_ATTRIBUTES
	PUBLIC	YES	SYS	ALL_DIM_HIERARCHIES
	PUBLIC	YES	SYS	USER_DIM_HIERARCHIES
	PUBLIC	YES	SYS	ALL_DIM_CHILD_OF
	PUBLIC	YES	SYS	USER_DIM_CHILD_OF
	PUBLIC	YES	SYS	ALL_DIM_JOIN_KEY
	PUBLIC	YES	SYS	USER_DIM_JOIN_KEY
	PUBLIC	YES	SYS	ALL_SUMMARIES
	PUBLIC	YES	SYS	USER_SUMMARIES
	PUBLIC	YES	SYS	USER_SUMMARY_AGGREGATES
	PUBLIC	YES	SYS	ALL_SUMMARY_AGGREGATES
	PUBLIC	YES	SYS	ALL_SUMMARY_DETAIL_TABLES
	PUBLIC	YES	SYS	USER_SUMMARY_DETAIL_TABLES
	PUBLIC	YES	SYS	ALL_SUMMARY_KEYS
	PUBLIC	YES	SYS	USER_SUMMARY_KEYS
	PUBLIC	YES	SYS	ALL_SUMMARY_JOINS
	PUBLIC	YES	SYS	USER_SUMMARY_JOINS
	PUBLIC	YES	SYS	ALL_MVIEW_ANALYSIS
	PUBLIC	YES	SYS	USER_MVIEW_ANALYSIS
	PUBLIC	YES	SYS	USER_MVIEW_AGGREGATES
	PUBLIC	YES	SYS	ALL_MVIEW_AGGREGATES
	PUBLIC	YES	SYS	ALL_MVIEW_DETAIL_RELATIONS
	PUBLIC	YES	SYS	USER_MVIEW_DETAIL_RELATIONS
	PUBLIC	YES	SYS	ALL_MVIEW_KEYS
	PUBLIC	YES	SYS	USER_MVIEW_KEYS
	PUBLIC	YES	SYS	ALL_MVIEW_JOINS
	PUBLIC	YES	SYS	USER_MVIEW_JOINS
	PUBLIC	YES	SYS	ALL_REFRESH_DEPENDENCIES
	PUBLIC	YES	SYS	USER_EXTERNAL_TABLES
	PUBLIC	YES	SYS	ALL_EXTERNAL_TABLES
	PUBLIC	YES	SYS	USER_EXTERNAL_LOCATIONS
	PUBLIC	YES	SYS	ALL_EXTERNAL_LOCATIONS
	PUBLIC	YES	SYS	USER_ERRORS
	PUBLIC	YES	SYS	ALL_ERRORS
	PUBLIC	YES	SYS	USER_SOURCE
	PUBLIC	YES	SYS	ALL_SOURCE
	PUBLIC	YES	SYS	USER_TRIGGERS
	PUBLIC	YES	SYS	ALL_TRIGGERS
	PUBLIC	YES	SYS	USER_INTERNAL_TRIGGERS
	PUBLIC	YES	SYS	ALL_INTERNAL_TRIGGERS
	PUBLIC	YES	SYS	USER_DEPENDENCIES
	PUBLIC	YES	SYS	ALL_DEPENDENCIES
	PUBLIC	YES	SYS	PUBLIC_DEPENDENCY
	PUBLIC	YES	SYS	USER_OBJECT_SIZE
	PUBLIC	YES	SYS	USER_JOBS
	PUBLIC	YES	SYS	ORA_KGLR7_DEPENDENCIES
	PUBLIC	YES	SYS	ORA_KGLR7_IDL_UB1
	PUBLIC	YES	SYS	ORA_KGLR7_IDL_CHAR
	PUBLIC	YES	SYS	ORA_KGLR7_IDL_UB2
	PUBLIC	YES	SYS	ORA_KGLR7_IDL_SB4
	PUBLIC	YES	SYS	ORA_KGLR7_DB_LINKS
	PUBLIC	YES	SYS	USER_SEGMENTS
	PUBLIC	YES	SYS	USER_EXTENTS
	PUBLIC	YES	SYS	USER_FREE_SPACE
	PUBLIC	YES	SYS	USER_TABLESPACES
	PUBLIC	YES	SYS	SESSION_CONTEXT
	PUBLIC	YES	SYS	ALL_CONTEXT
	PUBLIC	YES	SYS	DBMS_JOB
	PUBLIC	YES	SYS	USER_RULESETS
	PUBLIC	YES	SYS	USER_TRANSFORMATIONS
	PUBLIC	YES	SYS	USER_ATTRIBUTE_TRANSFORMATIONS
	PUBLIC	YES	SYS	ALL_QUEUE_TABLES
	PUBLIC	YES	SYS	USER_QUEUE_TABLES
	PUBLIC	YES	SYS	ALL_QUEUES
	PUBLIC	YES	SYS	USER_QUEUES
	PUBLIC	YES	SYS	USER_QUEUE_SCHEDULES
	PUBLIC	YES	SYS	QUEUE_PRIVILEGES
	PUBLIC	YES	SYS	DEFAULT_CONSUMER_GROUP
	PUBLIC	YES	SYS	USER_RSRC_CONSUMER_GROUP_PRIVS
	PUBLIC	YES	SYS	USER_RSRC_MANAGER_SYSTEM_PRIVS
	PUBLIC	YES	SYS	ALL_SNAPSHOTS
	PUBLIC	YES	SYS	USER_SNAPSHOTS
	PUBLIC	YES	SYS	ALL_SNAPSHOT_LOGS
	PUBLIC	YES	SYS	USER_SNAPSHOT_LOGS
	PUBLIC	YES	SYS	ALL_REFRESH
	PUBLIC	YES	SYS	USER_REFRESH
	PUBLIC	YES	SYS	ALL_REFRESH_CHILDREN
	PUBLIC	YES	SYS	USER_REFRESH_CHILDREN
	PUBLIC	YES	SYS	ALL_REGISTERED_SNAPSHOTS
	PUBLIC	YES	SYS	USER_REGISTERED_SNAPSHOTS
	PUBLIC	YES	SYS	ALL_MVIEWS
	PUBLIC	YES	SYS	USER_MVIEWS
	PUBLIC	YES	SYS	ALL_MVIEW_REFRESH_TIMES
	PUBLIC	YES	SYS	USER_MVIEW_REFRESH_TIMES
	PUBLIC	YES	SYS	ALL_MVIEW_LOGS
	PUBLIC	YES	SYS	USER_MVIEW_LOGS
	PUBLIC	YES	SYS	ALL_BASE_TABLE_MVIEWS
	PUBLIC	YES	SYS	USER_BASE_TABLE_MVIEWS
	PUBLIC	YES	SYS	ALL_REGISTERED_MVIEWS
	PUBLIC	YES	SYS	USER_REGISTERED_MVIEWS
	PUBLIC	YES	SYS	ALL_POLICIES
	PUBLIC	YES	SYS	USER_POLICIES
	PUBLIC	YES	SYS	USER_OUTLINES
	PUBLIC	YES	SYS	USER_OUTLINE_HINTS
	PUBLIC	YES	SYS	ODCICOLINFO
	PUBLIC	YES	SYS	ODCICOLINFOLIST
	PUBLIC	YES	SYS	ODCICOLINFOLIST2
	PUBLIC	YES	SYS	ODCIINDEXINFO
	PUBLIC	YES	SYS	ODCIPARTINFO
	PUBLIC	YES	SYS	ODCIPREDINFO
	PUBLIC	YES	SYS	ODCIRIDLIST
	PUBLIC	YES	SYS	ODCIINDEXCTX
	PUBLIC	YES	SYS	ODCIOBJECT
	PUBLIC	YES	SYS	ODCIOBJECTLIST
	PUBLIC	YES	SYS	ODCIQUERYINFO
	PUBLIC	YES	SYS	ODCIFUNCINFO
	PUBLIC	YES	SYS	ODCICOST
	PUBLIC	YES	SYS	ODCIARGDESC
	PUBLIC	YES	SYS	ODCIARGDESCLIST
	PUBLIC	YES	SYS	ODCISTATSOPTIONS
	PUBLIC	YES	SYS	ODCIENV
	PUBLIC	YES	SYS	ODCIEXTTABLEINFO
	PUBLIC	YES	SYS	ODCIGRANULELIST
	PUBLIC	YES	SYS	ODCIEXTTABLEQCINFO
	PUBLIC	YES	SYS	ODCISECOBJ
	PUBLIC	YES	SYS	ODCISECOBJTABLE
	PUBLIC	YES	SYS	USER_APPLICATION_ROLES
	PUBLIC	YES	SYS	XMLTYPE
	PUBLIC	YES	SYS	XMLGENFORMATTYPE
	PUBLIC	YES	SYS	SYS_IXMLAGG
	PUBLIC	YES	SYS	SYS_XMLAGG
	PUBLIC	YES	SYS	AGGXMLINPUTTYPE
	PUBLIC	YES	SYS	XMLINDEXOPS
	PUBLIC	YES	SYS	URITYPE
	PUBLIC	YES	SYS	URITYPE
	PUBLIC	YES	SYS	FTPURITYPE
	PUBLIC	YES	SYS	HTTPURITYPE
	PUBLIC	YES	SYS	DBURITYPE
	PUBLIC	YES	SYS	URIFACTORY
	PUBLIC	YES	SYS	ORACLE_LOADER
	PUBLIC	YES	SYS	ALL_REPGROUP_PRIVILEGES
	PUBLIC	YES	SYS	USER_REPGROUP_PRIVILEGES
	PUBLIC	YES	SYS	USER_REPGROUP
	PUBLIC	YES	SYS	USER_REPCAT
	PUBLIC	YES	SYS	ALL_REPGROUP
	PUBLIC	YES	SYS	ALL_REPCAT
	PUBLIC	YES	SYS	USER_REPSITES
	PUBLIC	YES	SYS	ALL_REPSITES
	PUBLIC	YES	SYS	USER_REPSCHEMA
	PUBLIC	YES	SYS	ALL_REPSCHEMA
	PUBLIC	YES	SYS	USER_REPOBJECT
	PUBLIC	YES	SYS	ALL_REPOBJECT
	PUBLIC	YES	SYS	ALL_REPCOLUMN
	PUBLIC	YES	SYS	_ALL_REPCOLUMN
	PUBLIC	YES	SYS	USER_REPCOLUMN
	PUBLIC	YES	SYS	USER_REPPROP
	PUBLIC	YES	SYS	ALL_REPPROP
	PUBLIC	YES	SYS	USER_REPKEY_COLUMNS
	PUBLIC	YES	SYS	ALL_REPKEY_COLUMNS
	PUBLIC	YES	SYS	USER_REPGENOBJECTS
	PUBLIC	YES	SYS	ALL_REPGENOBJECTS
	PUBLIC	YES	SYS	USER_REPGENERATED
	PUBLIC	YES	SYS	ALL_REPGENERATED
	PUBLIC	YES	SYS	USER_REPCATLOG
	PUBLIC	YES	SYS	ALL_REPCATLOG
	PUBLIC	YES	SYS	USER_REPDDL
	PUBLIC	YES	SYS	ALL_REPDDL
	PUBLIC	YES	SYS	ALL_REPPRIORITY_GROUP
	PUBLIC	YES	SYS	USER_REPPRIORITY_GROUP
	PUBLIC	YES	SYS	ALL_REPPRIORITY
	PUBLIC	YES	SYS	USER_REPPRIORITY
	PUBLIC	YES	SYS	ALL_REPCOLUMN_GROUP
	PUBLIC	YES	SYS	USER_REPCOLUMN_GROUP
	PUBLIC	YES	SYS	ALL_REPGROUPED_COLUMN
	PUBLIC	YES	SYS	USER_REPGROUPED_COLUMN
	PUBLIC	YES	SYS	_ALL_REPGROUPED_COLUMN
	PUBLIC	YES	SYS	_ALL_REPCOLUMN_GROUP
	PUBLIC	YES	SYS	ALL_REPCONFLICT
	PUBLIC	YES	SYS	USER_REPCONFLICT
	PUBLIC	YES	SYS	ALL_REPRESOLUTION_METHOD
	PUBLIC	YES	SYS	USER_REPRESOLUTION_METHOD
	PUBLIC	YES	SYS	ALL_REPRESOLUTION
	PUBLIC	YES	SYS	USER_REPRESOLUTION
	PUBLIC	YES	SYS	_ALL_REPRESOLUTION
	PUBLIC	YES	SYS	ALL_REPRESOLUTION_STATISTICS
	PUBLIC	YES	SYS	USER_REPRESOLUTION_STATISTICS
	PUBLIC	YES	SYS	ALL_REPRESOL_STATS_CONTROL
	PUBLIC	YES	SYS	USER_REPRESOL_STATS_CONTROL
	PUBLIC	YES	SYS	_ALL_REPPARAMETER_COLUMN
	PUBLIC	YES	SYS	ALL_REPPARAMETER_COLUMN
	PUBLIC	YES	SYS	USER_REPPARAMETER_COLUMN
	PUBLIC	YES	SYS	_ALL_REPCONFLICT
	PUBLIC	YES	SYS	ALL_REPAUDIT_ATTRIBUTE
	PUBLIC	YES	SYS	USER_REPAUDIT_ATTRIBUTE
	PUBLIC	YES	SYS	ALL_REPAUDIT_COLUMN
	PUBLIC	YES	SYS	USER_REPAUDIT_COLUMN
	PUBLIC	YES	SYS	ALL_REPFLAVORS
	PUBLIC	YES	SYS	USER_REPFLAVORS
	PUBLIC	YES	SYS	ALL_REPFLAVOR_OBJECTS
	PUBLIC	YES	SYS	_ALL_REPFLAVOR_OBJECTS
	PUBLIC	YES	SYS	USER_REPFLAVOR_OBJECTS
	PUBLIC	YES	SYS	ALL_REPFLAVOR_COLUMNS
	PUBLIC	YES	SYS	USER_REPFLAVOR_COLUMNS
	PUBLIC	YES	SYS	ALL_REPCAT_USER_AUTHORIZATIONS
	PUBLIC	YES	SYS	USER_REPCAT_USER_AUTHORIZATION
	PUBLIC	YES	SYS	ALL_REPCAT_REFRESH_TEMPLATES
	PUBLIC	YES	SYS	USER_REPCAT_REFRESH_TEMPLATES
	PUBLIC	YES	SYS	ALL_REPCAT_TEMPLATE_OBJECTS
	PUBLIC	YES	SYS	USER_REPCAT_TEMPLATE_OBJECTS
	PUBLIC	YES	SYS	ALL_REPCAT_TEMPLATE_PARMS
	PUBLIC	YES	SYS	USER_REPCAT_TEMPLATE_PARMS
	PUBLIC	YES	SYS	ALL_REPCAT_USER_PARM_VALUES
	PUBLIC	YES	SYS	USER_REPCAT_USER_PARM_VALUES
	PUBLIC	YES	SYS	ALL_REPCAT_TEMPLATE_SITES
	PUBLIC	YES	SYS	USER_REPCAT_TEMPLATE_SITES
	PUBLIC	YES	SYS	_ALL_INSTANTIATION_DDL
	PUBLIC	YES	SYS	_ALL_REPEXTENSIONS
	PUBLIC	YES	SYS	_ALL_REPSITES_NEW
	PUBLIC	YES	SYS	LT_CTX_PKG
	PUBLIC	YES	SYS	USER_WM_PRIVS
	PUBLIC	YES	SYS	ROLE_WM_PRIVS
	PUBLIC	YES	SYS	ALL_WORKSPACES_INTERNAL
	PUBLIC	YES	SYS	USER_WORKSPACES
	PUBLIC	YES	SYS	ALL_WORKSPACES
	PUBLIC	YES	SYS	USER_WORKSPACE_PRIVS
	PUBLIC	YES	SYS	ALL_WORKSPACE_PRIVS
	PUBLIC	YES	SYS	USER_WM_VERSIONED_TABLES
	PUBLIC	YES	SYS	ALL_WM_VERSIONED_TABLES
	PUBLIC	YES	SYS	USER_WM_MODIFIED_TABLES
	PUBLIC	YES	SYS	ALL_WM_MODIFIED_TABLES
	PUBLIC	YES	SYS	USER_WM_TAB_TRIGGERS
	PUBLIC	YES	SYS	ALL_WM_TAB_TRIGGERS
	PUBLIC	YES	SYS	USER_WORKSPACE_SAVEPOINTS
	PUBLIC	YES	SYS	ALL_WORKSPACE_SAVEPOINTS
	PUBLIC	YES	SYS	USER_WM_RIC_INFO
	PUBLIC	YES	SYS	ALL_WM_RIC_INFO
	PUBLIC	YES	SYS	ALL_VERSION_HVIEW
	PUBLIC	YES	SYS	WM$ALL_LOCKS_VIEW
	PUBLIC	YES	SYS	ALL_WM_LOCKED_TABLES
	PUBLIC	YES	SYS	USER_WM_LOCKED_TABLES
	PUBLIC	YES	SYS	WM$VER_BEF_INST_PARVERS_VIEW
	PUBLIC	YES	SYS	WM$CURRENT_PARVERS_VIEW
	PUBLIC	YES	SYS	WM$CURRENT_NEXTVERS_VIEW
	PUBLIC	YES	SYS	WM$VER_BEF_INST_NEXTVERS_VIEW
	PUBLIC	YES	SYS	WM$CURCONFLICT_PARVERS_VIEW
	PUBLIC	YES	SYS	WM$CURCONFLICT_NEXTVERS_VIEW
	PUBLIC	YES	SYS	WM$PARCONFLICT_PARVERS_VIEW
	PUBLIC	YES	SYS	WM$PARCONFLICT_NEXTVERS_VIEW
	PUBLIC	YES	SYS	WM$CURRENT_WORKSPACE_VIEW
	PUBLIC	YES	SYS	WM$PARENT_WORKSPACE_VIEW
	PUBLIC	YES	SYS	WM$CURRENT_HIERARCHY_VIEW
	PUBLIC	YES	SYS	WM$PARENT_HIERARCHY_VIEW
	PUBLIC	YES	SYS	WM$CURCONFLICT_HIERARCHY_VIEW
	PUBLIC	YES	SYS	WM$CURCONFLICT_HIERARCHY_VIEW
	PUBLIC	YES	SYS	WM$CURCONFLICT_HIERARCHY_VIEW
	PUBLIC	YES	SYS	WM$CURCONFLICT_HIERARCHY_VIEW
	PUBLIC	YES	SYS	WM$PARCONFLICT_HIERARCHY_VIEW
	PUBLIC	YES	SYS	WM$PARCONFLICT_HIERARCHY_VIEW
	PUBLIC	YES	SYS	WM$PARCONFLICT_HIERARCHY_VIEW
	PUBLIC	YES	SYS	WM$PARCONFLICT_HIERARCHY_VIEW
	PUBLIC	YES	SYS	WM$CURRENT_SAVEPOINTS_VIEW
	PUBLIC	YES	SYS	WM$MODIFIED_TABLES_VIEW
	PUBLIC	YES	SYS	WM$CURRENT_VER_VIEW
	PUBLIC	YES	SYS	WM$DIFF1_HIERARCHY_VIEW
	PUBLIC	YES	SYS	WM$DIFF2_HIERARCHY_VIEW
	PUBLIC	YES	SYS	WM$BASE_HIERARCHY_VIEW
	PUBLIC	YES	SYS	WM$DIFF1_NEXTVER_VIEW
	PUBLIC	YES	SYS	WM$DIFF2_NEXTVER_VIEW
	PUBLIC	YES	SYS	WM$BASE_NEXTVER_VIEW
	PUBLIC	YES	SYS	USER_JAVA_POLICY
	PUBLIC	YES	SYS	ALL_IDS
	PUBLIC	YES	ORDSYS	ORDIMERRORCODES
	PUBLIC	YES	ORDSYS	IM
	PUBLIC	YES	ORDSYS	ORDSOURCEEXCEPTIONS
	PUBLIC	YES	ORDSYS	ORDSOURCE
	PUBLIC	YES	ORDSYS	ORDIMGB
	PUBLIC	YES	ORDSYS	ORDIMGF
	PUBLIC	YES	ORDSYS	ORDIMAGE
	PUBLIC	YES	ORDSYS	ORDIMAGESIGNATURE
	PUBLIC	YES	ORDSYS	ORDIMAGEEXCEPTIONS
	PUBLIC	YES	ORDSYS	ORDIMAGECONSTANTS
	PUBLIC	YES	ORDSYS	ORDIMG_PKG
	PUBLIC	YES	ORDSYS	ORDIMGSIG_PKG
	PUBLIC	YES	ORDSYS	ORDIMGEXTCODEC_PKG
	PUBLIC	YES	ORDSYS	ORDIMGIDXMETHODS
	PUBLIC	YES	ORDSYS	ORDIMAGEINDEXSTATS
	PUBLIC	YES	ORDSYS	SCOREFUNC
	PUBLIC	YES	ORDSYS	SIMILARFUNC
	PUBLIC	YES	ORDSYS	IMGSIMILAR
	PUBLIC	YES	ORDSYS	IMGSCORE
	PUBLIC	YES	ORDSYS	ORDIMAGEINDEX
	PUBLIC	YES	ORDSYS	ORDANNOTATIONSEXCEPTIONS
	PUBLIC	YES	ORDSYS	ORDANNOTATION
	PUBLIC	YES	ORDSYS	ORDANNOTATIONLIST
	PUBLIC	YES	ORDSYS	ORDAUDIO
	PUBLIC	YES	ORDSYS	ORDAUDIOEXCEPTIONS
	PUBLIC	YES	ORDSYS	ORDAUDIO_PKG
	PUBLIC	YES	ORDSYS	ORDVIDEO
	PUBLIC	YES	ORDSYS	ORDVIDEOEXCEPTIONS
	PUBLIC	YES	ORDSYS	ORDVIDEO_PKG
	PUBLIC	YES	ORDSYS	ORDDOC
	PUBLIC	YES	ORDSYS	ORDDOCEXCEPTIONS
	PUBLIC	YES	ORDPLUGINS	ORDX_HTTP_SOURCE
	PUBLIC	YES	ORDPLUGINS	ORDX_FILE_SOURCE
	PUBLIC	YES	ORDPLUGINS	ORDX_AIFC_AUDIO
	PUBLIC	YES	ORDPLUGINS	ORDX_AIFF_AUDIO
	PUBLIC	YES	ORDPLUGINS	ORDX_AUFF_AUDIO
	PUBLIC	YES	ORDPLUGINS	ORDX_DEFAULT_AUDIO
	PUBLIC	YES	ORDPLUGINS	ORDX_WAVE_AUDIO
	PUBLIC	YES	ORDPLUGINS	ORDX_MPGA_AUDIO
	PUBLIC	YES	ORDPLUGINS	ORDX_DEFAULT_VIDEO
	PUBLIC	YES	ORDPLUGINS	ORDX_AVI_VIDEO
	PUBLIC	YES	ORDPLUGINS	ORDX_MPEG_VIDEO
	PUBLIC	YES	ORDPLUGINS	ORDX_MOOV_VIDEO
	PUBLIC	YES	ORDPLUGINS	ORDX_RMFF_VIDEO
	PUBLIC	YES	ORDPLUGINS	ORDX_DEFAULT_DOC
	PUBLIC	YES	MDSYS	SDO_POINT_TYPE
	PUBLIC	YES	MDSYS	SDO_ORDINATE_ARRAY
	PUBLIC	YES	MDSYS	SDO_ELEM_INFO_ARRAY
	PUBLIC	YES	MDSYS	SDO_GEOMETRY
	PUBLIC	YES	MDSYS	SDO_DIM_ELEMENT
	PUBLIC	YES	MDSYS	SDO_DIM_ARRAY
	PUBLIC	YES	MDSYS	SDO_VPOINT_TYPE
	PUBLIC	YES	MDSYS	SDO_MBR
	PUBLIC	YES	MDSYS	SDO_RID_ARRAY
	PUBLIC	YES	MDSYS	GEOCODE_RESULT
	PUBLIC	YES	SYS	MEDIA_DIR
	SYSTEM	YES	SYS	DBMS_RULE_EXIMP
	SYSTEM	YES	SYS	DBMS_TRANSFORM_EXIMP
	SYSTEM	YES	SYS	DBMS_AQ
	SYSTEM	YES	SYS	DBMS_AQADM
	SYSTEM	YES	SYS	DBMS_AQ_IMPORT_INTERNAL
	SYSTEM	YES	SYS	DBMS_AQELM
	ORDSYS	YES	SYS	DBA_TABLES
	ORDSYS	YES	SYS	DBA_OBJECT_TABLES
	ORDSYS	YES	SYS	DBA_VIEWS
	OLAPSYS	YES	SYS	OBJ$
	OLAPSYS	YES	SYS	COL$
	OLAPSYS	YES	SYS	USER$
	OLAPSYS	YES	SYS	CON$
	OLAPSYS	YES	SYS	CDEF$
	OLAPSYS	YES	SYS	CCOL$
	OLAPSYS	YES	SYS	OBJAUTH$
	OLAPSYS	YES	SYS	SYSAUTH$
	OLAPSYS	YES	SYS	DEPENDENCY$
	OLAPSYS	YES	SYS	DIM$
	OLAPSYS	YES	SYS	DIMLEVEL$
	OLAPSYS	YES	SYS	DIMLEVELKEY$
	OLAPSYS	YES	SYS	DIMJOINKEY$
	OLAPSYS	YES	SYS	DIMATTR$
	OLAPSYS	YES	SYS	HIER$
	OLAPSYS	YES	SYS	HIERLEVEL$
	OLAPSYS	YES	SYS	V_$ENABLEDPRIVS
	MDSYS	YES	SYS	DBA_OBJECT_TABLES
	MDSYS	YES	SYS	DBA_VIEWS
	CTXSYS	YES	SYS	TAB$
	CTXSYS	YES	SYS	OBJ$
	CTXSYS	YES	SYS	USER$
	CTXSYS	YES	SYS	SYN$
	CTXSYS	YES	SYS	VIEW$
	CTXSYS	YES	SYS	ARGUMENT$
	CTXSYS	YES	SYS	SYSAUTH$
	CTXSYS	YES	SYS	V_$THREAD
	CTXSYS	YES	SYS	V_$SESSION
	CTXSYS	YES	SYS	V_$RESOURCE
	CTXSYS	YES	SYS	V_$PARAMETER
	CTXSYS	YES	SYS	DBA_ROLES
	CTXSYS	YES	SYS	DBA_DB_LINKS
	CTXSYS	YES	SYS	DBA_OBJECTS
	CTXSYS	YES	SYS	DBA_ROLE_PRIVS
	CTXSYS	YES	SYS	DBA_SYNONYMS
	CTXSYS	YES	SYS	DBA_TAB_PRIVS
	CTXSYS	YES	SYS	DBA_CONS_COLUMNS
	CTXSYS	YES	SYS	DBA_TYPE_ATTRS
	SH	YES	SYS	DATA_FILE_DIR
	SH	YES	SYS	DATA_FILE_DIR
	SH	YES	SYS	LOG_FILE_DIR
	SH	YES	SYS	LOG_FILE_DIR